Hello.
I've upgraded to Fedora 33 beta and I've discovered a problem with Thunderbird. All email accounts work well except the Red Hat one with mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail).
The problem is that Thunderbird does not show any error message but it's not able to communicate with the IMAP server. I'm not able to receive any message from the server. I'm able to send a message but a copy is then not saved to sent folder for the same reason. My first thought was that the problem is caused by a downgrade from 68.11 to 68.10 because Thunderbird currently FTBFS in Fedora 33 but it does not seem to be so. I've also tried to remove the account and add it back but it did not help because I was no longer able to log in to my account without any particular error message. I've also tried to delete the server's certificates.
The problem seems to be caused by strict crypto policies in Fedora 33 and too small DH key provided by the server.
$ update-crypto-policies --show DEFAULT
$ openssl s_client -showcerts -connect mail.corp.redhat.com:993 -servername mail.corp.redhat.com CONNECTED(00000003) depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@redhat.com verify return:1 depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority verify return:1 depth=1 O = Red Hat, OU = prod, CN = Certificate Authority verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Information Technology, emailAddress = servicedesk@redhat.com, CN = mail.corp.redhat.com verify return:1 139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2149: ---
$ sudo update-crypto-policies --set LEGACY Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
openssl s_client -showcerts -connect mail.corp.redhat.com:993 -servername mail.corp.redhat.com CONNECTED(00000003) depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@redhat.com verify return:1 depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority verify return:1 depth=1 O = Red Hat, OU = prod, CN = Certificate Authority verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Information Technology, emailAddress = servicedesk@redhat.com, CN = mail.corp.redhat.com verify return:1 --- ... <certificates chain> ... --- * OK IMAP4 ready
As you can see above, the DH key provided by the server is too small so the SSL verification fails. Setting the crypto policies to LEGACY solves the issue for me and I am again able to recreate my Red Hat account in Thunderbird.
Hope this helps. I'm going to report this problem to service desk.
Lumír