Debian Bug report logs - #692886
Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)

version graph

Package: icedove; Maintainer for icedove is Christoph Goehre <chris@sigxcpu.org>; Source for icedove is src:icedove.

Reported by: Giacomo Sommavilla <gs.bckp@gmail.com>

Date: Sat, 10 Nov 2012 11:24:01 UTC

Severity: important

Merged with 692491

Found in versions icedove/10.0.10-1, icedove/10.0.3-3

Done: Carsten Schoenert <c.schoenert@t-online.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Sat, 10 Nov 2012 11:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giacomo Sommavilla <gs.bckp@gmail.com>:
New Bug report received and forwarded. Copy sent to Alexander Sack <asac@debian.org>. (Sat, 10 Nov 2012 11:24:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giacomo Sommavilla <gs.bckp@gmail.com>
To: submit@bugs.debian.org
Subject: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Sat, 10 Nov 2012 12:21:35 +0100
Package: icedove
Version: 10.0.10-1
Severity: normal

Dear Maintainer,

in the past two years I have been sending emails with icedove (using 
STARTTLS) successfully.
Some days ago I updated my operative system and found that I wasn't 
anymore able to send STARTTLS emails from icedove.

It turned out that downgrading libnss3 package from version
2:3.14-1 to 2:3.13.6-1 solved the problem.

I was unsure if filing this issue to libnss maintainers, but, since I am 
not able to reproduce this with thunderbird, I post it here.


Sorry for any possible email duplicate (I may have messed up with 
reportbug).

   Giacomo Sommavilla


Additional informations:

* kernel version:
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux

* libc6 version
2.13-35

* SMTP icedove configuration
port: 587
connection security: STARTTLS
Authentication method: Normal password

* debian package libnss3:
STARTTLS email delivery works with version 2:3.13.6-1
but it doesn't with 2:3.14-1

* An Error message window rises, saying
"Sending of message failed.
The message could not be sent using SMTP server smtp.pd.istc.cnr.it
for an unknown reason. Please verify that your SMTP server settings
are correct and try again, or contact your network administrator."

while another window shows a Progress bar and says
"Status: Connected to (STMPSERVER)"




-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages icedove depends on:
ii  debianutils               4.3.4
ii  fontconfig                2.9.0-7
ii  libasound2                1.0.25-4
ii  libatk1.0-0               2.4.0-2
ii  libc6                     2.13-36
ii  libcairo2                 1.12.2-2
ii  libdbus-1-3               1.6.8-1
ii  libdbus-glib-1-2          0.100-1
ii  libevent-2.0-5            2.0.19-stable-3
ii  libffi5                   3.0.10-3
ii  libfontconfig1            2.9.0-7
ii  libfreetype6              2.4.9-1
ii  libgcc1                   1:4.7.2-4
ii  libgdk-pixbuf2.0-0        2.26.1-1
ii  libglib2.0-0              2.33.12+really2.32.4-3
ii  libgtk2.0-0               2.24.10-2
ii  libhunspell-1.3-0         1.3.2-4
ii  libjpeg8                  8d-1
ii  libnspr4                  2:4.9.3-1
ii  libnspr4-0d               2:4.9.3-1
ii  libnss3                   2:3.14-1
ii  libnss3-1d                2:3.14-1
ii  libpango1.0-0             1.30.0-1
ii  libpixman-1-0             0.26.0-3
ii  libsqlite3-0              3.7.14.1-1
ii  libstartup-notification0  0.12-1
ii  libstdc++6                4.7.2-4
ii  libvpx1                   1.1.0-1
ii  libx11-6                  2:1.5.0-1
ii  libxext6                  2:1.3.1-2
ii  libxrender1               1:0.9.7-1
ii  libxt6                    1:1.1.3-1
ii  psmisc                    22.20-1
ii  zlib1g                    1:1.2.7.dfsg-13

Versions of packages icedove recommends:
ii  hunspell-en-us [hunspell-dictionary]  20070829-6

Versions of packages icedove suggests:
ii  fonts-lyx         2.0.3-3
ii  gconf-service     3.2.5-1+build1
ii  libgconf-2-4      3.2.5-1+build1
ii  libgssapi-krb5-2  1.10.1+dfsg-2
ii  libnotify4        0.7.5-1

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Wed, 28 Nov 2012 14:15:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andre Landwehr <andrel@cybernoia.de>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (Wed, 28 Nov 2012 14:15:08 GMT) Full text and rfc822 format available.

Message #10 received at 692886@bugs.debian.org (full text, mbox):

From: Andre Landwehr <andrel@cybernoia.de>
To: 692886@bugs.debian.org
Subject: some more info
Date: Wed, 28 Nov 2012 15:02:20 +0100
hi,

I can fully confirm the bug and the proposed workaround (thanks for
that, saved me literally hours!).
I tried with other icedove versions I had the .deb's for as well, same
behaviour with 10.0.6, 10.0.7, 10.0.9 and 10.0.11.

The server side (Debian squeeze with postfix 2.7.1-1+squeeze1) says in
the mail.log:
Nov 28 14:20:40 mail postfix/smtpd[19861]: connect from (hidden)
Nov 28 14:20:40 mail postfix/smtpd[19861]: setting up TLS connection
from (hidden)
Nov 28 14:20:40 mail postfix/smtpd[19861]: SSL_accept error from (hidden): 0
Nov 28 14:20:40 mail postfix/smtpd[19861]: warning: TLS library problem:
19861:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1102:SSL alert number 42:
Nov 28 14:20:40 mail postfix/smtpd[19861]: lost connection after
STARTTLS from (hidden)
Nov 28 14:20:40 mail postfix/smtpd[19861]: disconnect from (hidden)

Hope that helps...

Regards,
Andre



Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Sat, 01 Dec 2012 15:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carsten Schoenert <c.schoenert@t-online.de>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (Sat, 01 Dec 2012 15:06:03 GMT) Full text and rfc822 format available.

Message #15 received at 692886@bugs.debian.org (full text, mbox):

From: Carsten Schoenert <c.schoenert@t-online.de>
To: Mike Hommey <mh@glandium.org>
Cc: 692886@bugs.debian.org
Subject: Re: Bug#692886: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Sat, 1 Dec 2012 16:03:10 +0100
Hello Mike,

Giacomo and Andre reported there are problems with the libnss3 package
3.13.6-1. But I don't know there to look into icedove te get the bug.
And I probably believe it's not a icedove related bug.

Do you have any ideas there to look or what Giacomo and Andre can else
do to track down the problem?

Maybe to start it's practical to install *-dbg packages and run icedove
in the debugger?

Regards
Carsten

On Sat, Nov 10, 2012 at 12:21:35PM +0100, Giacomo Sommavilla wrote:
> Package: icedove
> Version: 10.0.10-1
> Severity: normal
> 
> Dear Maintainer,
> 
> in the past two years I have been sending emails with icedove (using
> STARTTLS) successfully.
> Some days ago I updated my operative system and found that I wasn't
> anymore able to send STARTTLS emails from icedove.
> 
> It turned out that downgrading libnss3 package from version
> 2:3.14-1 to 2:3.13.6-1 solved the problem.
> 
> I was unsure if filing this issue to libnss maintainers, but, since
> I am not able to reproduce this with thunderbird, I post it here.
> 
> 
> Sorry for any possible email duplicate (I may have messed up with
> reportbug).
> 
>    Giacomo Sommavilla
> 
> 
> Additional informations:
> 
> * kernel version:
> Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
> 
> * libc6 version
> 2.13-35
> 
> * SMTP icedove configuration
> port: 587
> connection security: STARTTLS
> Authentication method: Normal password
> 
> * debian package libnss3:
> STARTTLS email delivery works with version 2:3.13.6-1
> but it doesn't with 2:3.14-1
> 
> * An Error message window rises, saying
> "Sending of message failed.
> The message could not be sent using SMTP server smtp.pd.istc.cnr.it
> for an unknown reason. Please verify that your SMTP server settings
> are correct and try again, or contact your network administrator."
> 
> while another window shows a Progress bar and says
> "Status: Connected to (STMPSERVER)"
> 
> 
> 
> 
> -- System Information:
> Debian Release: wheezy/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages icedove depends on:
> ii  debianutils               4.3.4
> ii  fontconfig                2.9.0-7
> ii  libasound2                1.0.25-4
> ii  libatk1.0-0               2.4.0-2
> ii  libc6                     2.13-36
> ii  libcairo2                 1.12.2-2
> ii  libdbus-1-3               1.6.8-1
> ii  libdbus-glib-1-2          0.100-1
> ii  libevent-2.0-5            2.0.19-stable-3
> ii  libffi5                   3.0.10-3
> ii  libfontconfig1            2.9.0-7
> ii  libfreetype6              2.4.9-1
> ii  libgcc1                   1:4.7.2-4
> ii  libgdk-pixbuf2.0-0        2.26.1-1
> ii  libglib2.0-0              2.33.12+really2.32.4-3
> ii  libgtk2.0-0               2.24.10-2
> ii  libhunspell-1.3-0         1.3.2-4
> ii  libjpeg8                  8d-1
> ii  libnspr4                  2:4.9.3-1
> ii  libnspr4-0d               2:4.9.3-1
> ii  libnss3                   2:3.14-1
> ii  libnss3-1d                2:3.14-1
> ii  libpango1.0-0             1.30.0-1
> ii  libpixman-1-0             0.26.0-3
> ii  libsqlite3-0              3.7.14.1-1
> ii  libstartup-notification0  0.12-1
> ii  libstdc++6                4.7.2-4
> ii  libvpx1                   1.1.0-1
> ii  libx11-6                  2:1.5.0-1
> ii  libxext6                  2:1.3.1-2
> ii  libxrender1               1:0.9.7-1
> ii  libxt6                    1:1.1.3-1
> ii  psmisc                    22.20-1
> ii  zlib1g                    1:1.2.7.dfsg-13
> 
> Versions of packages icedove recommends:
> ii  hunspell-en-us [hunspell-dictionary]  20070829-6
> 
> Versions of packages icedove suggests:
> ii  fonts-lyx         2.0.3-3
> ii  gconf-service     3.2.5-1+build1
> ii  libgconf-2-4      3.2.5-1+build1
> ii  libgssapi-krb5-2  1.10.1+dfsg-2
> ii  libnotify4        0.7.5-1
> 
> -- no debconf information



Severity set to 'important' from 'normal' Request was from Carsten Schoenert <c.schoenert@t-online.de> to control@bugs.debian.org. (Sun, 02 Dec 2012 10:06:14 GMT) Full text and rfc822 format available.

Merged 692491 692886 Request was from Carsten Schoenert <c.schoenert@t-online.de> to control@bugs.debian.org. (Sun, 02 Dec 2012 10:06:15 GMT) Full text and rfc822 format available.

Marked as found in versions icedove/10.0.3-3. Request was from Carsten Schönert <c.schoenert@t-online.de> to control@bugs.debian.org. (Wed, 05 Dec 2012 18:45:06 GMT) Full text and rfc822 format available.

Merged 671303 692491 692886 Request was from Carsten Schönert <c.schoenert@t-online.de> to control@bugs.debian.org. (Wed, 05 Dec 2012 18:45:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Fri, 07 Dec 2012 19:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (Fri, 07 Dec 2012 19:48:04 GMT) Full text and rfc822 format available.

Message #28 received at 692886@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Carsten Schoenert <c.schoenert@t-online.de>
Cc: 692886@bugs.debian.org
Subject: Re: Bug#692886: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Fri, 7 Dec 2012 20:45:08 +0100
On Sat, Dec 01, 2012 at 04:03:10PM +0100, Carsten Schoenert wrote:
> Hello Mike,
> 
> Giacomo and Andre reported there are problems with the libnss3 package
> 3.13.6-1. But I don't know there to look into icedove te get the bug.
> And I probably believe it's not a icedove related bug.
> 
> Do you have any ideas there to look or what Giacomo and Andre can else
> do to track down the problem?
> 
> Maybe to start it's practical to install *-dbg packages and run icedove
> in the debugger?

According to an NSS upstream author, one of the changes in 3.14 is that
md5 signature of certificates are now rejected. Can you all check
whether the certificate on your servers use such signatures?

See https://wiki.mozilla.org/CA:MD5and1024

You can check your server certificate with openssl:

openssl s_client -connect hostname:587 -starttls < /dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -text

(look for "Signature Algorithm")

Mike



Disconnected #692886 from all other report(s). Request was from Stéphane Glondu <glondu@debian.org> to control@bugs.debian.org. (Fri, 14 Dec 2012 14:09:05 GMT) Full text and rfc822 format available.

Merged 692491 692886 Request was from Stéphane Glondu <glondu@debian.org> to control@bugs.debian.org. (Fri, 14 Dec 2012 15:24:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Thu, 20 Dec 2012 09:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giacomo Sommavilla <gs.bckp@gmail.com>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (Thu, 20 Dec 2012 09:21:06 GMT) Full text and rfc822 format available.

Message #37 received at 692886@bugs.debian.org (full text, mbox):

From: Giacomo Sommavilla <gs.bckp@gmail.com>
To: 692886@bugs.debian.org
Subject: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Thu, 20 Dec 2012 10:16:28 +0100
Hi all,

I cannot see anymore the problem with
libnss3 version 2:3.14-2.

That means that I am now able to send STARTTLS email with my smtp connection.


However I checked server certificate algorithm with:

openssl s_client -connect MY.smtp.HOSTNAME:587 -starttls smtp <
/dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -text

(I had to add "smtp" to -starttls option)

that gave me:
(...)
    Signature Algorithm: md5WithRSAEncryption
(...)

Bests,
   Giacomo.



Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Thu, 20 Dec 2012 11:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carsten Schoenert <c.schoenert@t-online.de>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (Thu, 20 Dec 2012 11:12:03 GMT) Full text and rfc822 format available.

Message #42 received at 692886@bugs.debian.org (full text, mbox):

From: Carsten Schoenert <c.schoenert@t-online.de>
To: Giacomo Sommavilla <gs.bckp@gmail.com>, 692886@bugs.debian.org
Subject: Re: Bug#692886: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Thu, 20 Dec 2012 12:10:51 +0100
Hello Giacomo,

thanks for your reply.
I will wait some more days for feedback from Guy on bug
#692491

But I think after the clarification from Mike this two bugs can be closed.

Am 20.12.2012 10:16, schrieb Giacomo Sommavilla:
> Hi all,
> 
> I cannot see anymore the problem with libnss3 version 2:3.14-2.
> 
> That means that I am now able to send STARTTLS email with my smtp
> connection.
> 
> 
> However I checked server certificate algorithm with:
> 
> openssl s_client -connect MY.smtp.HOSTNAME:587 -starttls smtp < 
> /dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -text
> 
> (I had to add "smtp" to -starttls option)
> 
> that gave me: (...) Signature Algorithm: md5WithRSAEncryption (...)
> 
> Bests, Giacomo.
> 

Regards
Carsten




Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Fri, 21 Dec 2012 12:06:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giacomo Sommavilla <gs.bckp@gmail.com>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (Fri, 21 Dec 2012 12:06:08 GMT) Full text and rfc822 format available.

Message #47 received at 692886@bugs.debian.org (full text, mbox):

From: Giacomo Sommavilla <gs.bckp@gmail.com>
To: 692886@bugs.debian.org
Subject: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Fri, 21 Dec 2012 13:03:13 +0100
Am 20.12.2012 10:16, schrieb Giacomo Sommavilla:
> Hi all,
>
> I cannot see anymore the problem with libnss3 version 2:3.14-2.
>
> That means that I am now able to send STARTTLS email with my smtp
> connection.

Sadly, I have to admit that the above is not true.

Today I tried again sending STARTTLS emails and it is *not*
working after upgrading libnss3 to version 2:3.14-2.

Although this morning I had some debian package updates (which
may have changed the icedove dependencies), I think that, most
likely, the reason why yesterday's tests were successful was that
I used libnss3 version 2:3.13.6-1. :-(

Still, openssl returns "Signature Algorithm: md5WithRSAEncryption":

$ openssl s_client -connect MY.smtp.HOSTNAME:587 -starttls smtp <
/dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -text | grep
Algorithm
    Signature Algorithm: md5WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: md5WithRSAEncryption

Bests,
   Giacomo.



Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#692886; Package icedove. (Fri, 21 Dec 2012 15:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giacomo Sommavilla <gs.bckp@gmail.com>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (Fri, 21 Dec 2012 15:06:03 GMT) Full text and rfc822 format available.

Message #52 received at 692886@bugs.debian.org (full text, mbox):

From: Giacomo Sommavilla <gs.bckp@gmail.com>
To: 692886@bugs.debian.org
Subject: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Fri, 21 Dec 2012 16:03:10 +0100
I tried gmail smtp with the same configuration (port: 587
STARTTLS connection, Normal password) and the emails always go
through, even with version 2:3.14-2 of libnss3.

> Carsten Schoenert wrote:
> But I think after the clarification from Mike this two bugs can be
> closed.

It really seems to be related to md5 vs. sha1 signature of
certificates, as Mike is suggesting, since

$ openssl s_client -connect smtp.pd.istc.cnr.it:587 -starttls smtp <
/dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -text >
pd_istc_cnr_it_SMTP_openssl.txt | grep Algorithm

gives "Signature Algorithm: sha1WithRSAEncryption"

Thanks everybody and best regards,
   Giacomo.



Reply sent to Carsten Schoenert <c.schoenert@t-online.de>:
You have taken responsibility. (Wed, 02 Jan 2013 08:48:03 GMT) Full text and rfc822 format available.

Notification sent to Giacomo Sommavilla <gs.bckp@gmail.com>:
Bug acknowledged by developer. (Wed, 02 Jan 2013 08:48:03 GMT) Full text and rfc822 format available.

Message #57 received at 692886-done@bugs.debian.org (full text, mbox):

From: Carsten Schoenert <c.schoenert@t-online.de>
To: Giacomo Sommavilla <gs.bckp@gmail.com>, 692886-done@bugs.debian.org
Subject: Re: Bug#692886: Fails to send emails with STARTTLS (libnss3 version 2:3.14-1)
Date: Wed, 02 Jan 2013 09:44:52 +0100
Hello Giacomo,

happy new year first! ;)

Am 20.12.2012 12:10, schrieb Carsten Schoenert:
> Hello Giacomo,
> 
> thanks for your reply.
> I will wait some more days for feedback from Guy on bug
> #692491
> 
> But I think after the clarification from Mike this two bugs can be closed.

Now with no more (bad) feedback to this bug I will close this.

I wrote a little bit info to the wiki [1]. So if there are new problems
around this hopefully people find a solution for this.
Please add something if is still missing there! Thanks.

[1]
http://wiki.debian.org/Icedove#Icedoce_seems_impossible_to_send_mails_via_STARTLS_after_installation_of_libnss_3.14-1
-- 
Regards
Carsten




Reply sent to Carsten Schoenert <c.schoenert@t-online.de>:
You have taken responsibility. (Wed, 02 Jan 2013 08:48:04 GMT) Full text and rfc822 format available.

Notification sent to Guy Roussin <guy.roussin@teledetection.fr>:
Bug acknowledged by developer. (Wed, 02 Jan 2013 08:48:04 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 31 Jan 2013 07:28:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:52:58 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.