Hi Carsten, Thank you for quick and thorough reply.
On Sat, 13 Sep 2014 09:05:48 Carsten Schoenert wrote: > I found a arcticle on serverfault.com that gives some background > informations on that and on cipher suites also. > http://serverfault.com/questions/615855/exim-after-thunderbird-update-could-> > not-negotiate-a-supported-cipher-suite Thank you, that seems to be very similar to my problem. :) > But I don't know how to exactely configure a exim setup, so I can't give > better hints there. Maybe we should involve the Exim maintainers to. I > add them to the CC list, hopefully they can give some hints there to > look also. Thanks. I merely have "MAIN_TLS_ENABLE = true" in "/etc/exim4/exim4.conf.localmacros". > Well, Mozilla has removed the support for weaker cipher suites in > Thunderbird >= 31 and I think this plus the exim config together ends in > a not working communication between Icedove and Exim. In such case I wish there was a NEWS file with warning regarding potential implications... > CaCert was removed from the CA list inside Debian, but this does not > belong to your report I think. Also the signature is not done by md5. I'm aware of (painful and perhaps unnecessary) CaCert removal. I doubt that CA is relevant to this bug because (up|down)grade of Icedove demonstrate different behaviour without any CA-related warnings/errors... > > > Do you have checked your settings for security.tls.version.min and > > > security.tls.version.max? The *.min should be 0 and *.max should be 3, > > > if not your client will not support all version for SSL/TLS. > > > http://kb.mozillazine.org/Security.tls.version.* > > > > Where are those settings? Anyway I've never touched them... > > That's explained on top of the website. ;) > http://kb.mozillazine.org/Editing_configuration > > These settings are inside Icedove, you get the configs by Tools –> > Options –> Advanced –> General and press the Config Editor... button Well, there is nothing there starting with "Tools –> Options" so even you got the path wrong... :) I finally found it under * Edit * Preferences * Advanced * General * Config Editor where "security.tls.version.min==0" and "security.tls.version.max==3". > Please play around with the security.tls.version.max option, with a > setting of "1" you say Icedove to explicit use a weak cipher suite. I doubt this would be a good idea as it may affect other servers... I tried to set "security.tls.version.max" to 1 and it allowed me to sent email successfully after confirming server certificate. "security.tls.version.max==2" also worked for me but problem returned with "security.tls.version.max==3". It seems that troubles might be due to malfunction in TLS fallback (upstream)... > > > I strongly believe this report is not a Icedove/Thunderbird related > > > problem. > > > > I disagree. Otherwise how would you explain why downgrade of icedove fixed > > the problem? > > If icedove from Jessie can't talk to SMTP server on Wheezy it is a serious > > regression on the client side i.e. in the Icedove. > > I agree it's a user regression but you will have a missconfiguration on > the server side I still believe. > I work on various clients with Icedove/Thunderbird >=31 against T-Online > (a really big ISP in Germany), Google and a own root server with a > running exim 4.72 without any changes on my Icedove settings. So I > disagree until now this issue a Icedove related. But yes, I could be > wrong. So you suggest that the problem is on server side (i.e. SMTP) which could be the case. However I have TLS enabled in exim4 using "MAIN_TLS_ENABLE = true" as advised by * https://wiki.debian.org/Exim%C2%A0#TLS_and_Authentication * http://pkg-exim4.alioth.debian.org/README/README.Debian.html#TLS which is hardly a misconfiguration. It works with other email clients for a while (I primarily use kmail). -- Regards, Dmitry Smirnov. --- What can be asserted without proof can be dismissed without proof. -- Christopher Hitchens, 2004
signature.asc
Description: This is a digitally signed message part.
