Removing Expiring SSL (TLS) cert caused inability to receive mail in Thunderbird Mail

-1

I recently switched my SSL (TLS) certificate from a regular one to Let's Encrypt. I decided to get rid of my old expiring cert files, but I physically removed them, I've started to have strange issues with Thunderbird Mail. Normally after I open the application, I get a login box. And after the old cert files removal, I stopped getting the login and also stopped receiving mail. Sending was fine. Also the SMTP server was working, since in a web mail access everything worked as usual. Only after I put back files that belonged to the old cert, Thunderbird Mail started to work as usual. I don't understand the connection between my old cert files that I was using for HTTPS and Apache and Thunderbird Mail, its login and receiving mail in it.

It does expire in 3 days, so... Netstat on port 995 shows that I'm using Courier as MDA. Though it could be an issue with Thunderbird alone. I don't know.

Basically MTA (Postfix) uses a self-signed cert that expires in about 9 years from now. I did receive and send mail and saw mail coming in web-mail (Squirrel Mail) even after deleting my other cert that I was using for Apache. I guess we gonna see it in 3 days. If after 08/10/2016 everything will be working OK (just like now), it means that I can just forget about it for now and the problem is solved (at least, for a time being).

papakota

Posted 2016-10-05T01:55:25.760

Reputation: 1

Sounds like you failed to remove a connection to the old certificate there a reason you feel the old certificate should be removed? – Ramhound – 2016-10-05T01:57:16.990

I can leave it alone, it doesn't bother me at all. But it does expire in 3 days, so... Netstat on port 995 shows that I'm using Courier as MDA. Though it could be an issue with Thunderbird alone. I don't know. – papakota – 2016-10-05T02:10:19.133

It expires, that doesn't change your trust level, you should replace it obviously but only because newer certificates are likely created with the newer standards (key size, etc) – Ramhound – 2016-10-05T02:14:20.143

You mean it should work after it expires in 3 days? – papakota – 2016-10-05T02:28:27.633

It will work; You still trust it; Unless you revoked the certificate it will always work; or at least until something else happens I.e Thunderbird stops allowing SHA1 certificates or something like that – Ramhound – 2016-10-05T02:31:13.037

I think it's SHA256. I won't revoke. But how an expired cert can be trusted? We'll see in 3 days anyway. – papakota – 2016-10-05T02:37:23.453

The certificate can be trusted until the person with the private key revoked it. That's how your certificate works... – Ramhound – 2016-10-05T02:39:22.190

I think its a bad idea to use an expired cert, because this is probably being used from MTA to MTA (which won't like it) rather then just between MUA and MTA. [ MTA= Mail transfer agent like Postfix, MUA=end user program like Firefox ]. – davidgo – 2016-10-05T06:07:31.337

No, MTA (Postfix) uses a self-signed cert that expires in about 9 years from now. I did receive and send mail and saw mail coming in web-mail (Squirrel Mail) even after deleting my other cert that I was using for Apache. I guess we gonna see it in 3 days. If after 08/10/2016 everything will be working OK (just like now), it means that I can just forget about it for now and the problem is solved (at least, for a time being). – papakota – 2016-10-05T13:42:13.043

Answers

1

Have a look at this link. It looks like you may be missing intermediate certs - or, if thats not the issue, check your computers date.

davidgo

Posted 2016-10-05T01:55:25.760

Reputation: 49 152

Indeed; Browsers are adopting Let's Encrypt certificates by default; Thunderbird might not, likely never, given it being a very low priority for mozilla – Ramhound – 2016-10-05T02:24:52.123

It's really confusing. I checked with Netstat and on port 995 I see couriertcpd. But when I do this "courier restart" - I get this: The program 'courier' is currently not installed. – papakota – 2016-10-05T02:30:20.747

Sounds like you have multiple separate questions – Ramhound – 2016-10-05T02:31:54.053

I have something called master with PID 1573. And when I go to System Monitor and check that PID, it show "Master" too and when I hover my mouse pointer, I see this: /usr/lib/postfix/master It's not a separate question. I was thinking that maybe I could check the configuration of my MDA too. – papakota – 2016-10-05T02:38:24.207

Sounds like you should formulate a question. – Ramhound – 2016-10-05T02:39:51.803

I agree with @Ramhound - what processes/daemons are running are a seperate question. That said you can use ps -p /bin/fuser -n tcp 995 to tell you the processes associated with port 995. Most likely courier is not installed as a package, and is being called at the command line rather then inetd. "master" is associated with Postfix/SMTP, not Courier. – davidgo – 2016-10-05T06:05:54.140

I completely deleted Dovecot and everything works fine. So it's just Courier and Postfix we're talking about. I suspect that my Courier's configs are not correct ones in terms of using a right cert. So it defaults to the one that's used by Apache. But it's just my guess. I'm also not sure if Mail Servers work okay with Let's Encrypt cert. But in any case, I have my self-signed one. And as a last resort, I can forget about Let's Encrypt and purchase an old-fashioned cert from another CA. – papakota – 2016-10-05T13:46:38.190

Please quote the essential parts of the answer from the reference link(s), as the answer can become invalid if the linked page(s) change. – DavidPostill – 2016-10-17T11:41:05.763

Asked: 2016-10-05T01:55:25.760

Viewed: 59 times

Active: 2016-10-19T09:54:01.863