10

Updated to Thunderbird 38, authentication stopped working (NTLM or Logjam)

We are getting reports that when users update to Thunderbird 38, authentication no longer works. You are asked for username and password, but when you put in valid credentials, it does not work. There is a related Thunderbird bug for non-ExQuilla users that affects using Exchange server with tradtional email protocols (IMAP and SMTP).

There is a known issue/feature in the latest Mozilla 38 code (which Thunderbird and ExQuilla use), that an older, less secure NTLM authentication method has been disabled by default. For users that are running ExQuilla (which uses the EWS protocol over SSL), any security issues with this protocol are not really important, since all transfers are made using encrypted SSL sessions. (In fact, many Exchange installations use the even less secure Basic authentication since SSL provides all needed security). But Mozilla in their wisdom decided to disable this anyway.

There is a workaround: set network.auth.force-generic-ntlm-v1 to true. This may be done under Preferences | Advanced | General | Config Editor.

If you try this, I would appreciate if you make a comment here about your success and failure. Also report the Operating System and Exchange Server version that you are using (if known). I currently believe this will mostly affect OSX and Linux users running Exchange Server 2007, but I need more confirmation of that.

In addition to a possible issue related to updates to NTLM, there is a second possible issue associated with changes that Mozilla made to prevent the LogJam security vulnerability.. Typically when you get that issue, there is a message that appears in the Error Console about it. If you can tell me the URL that you use to connect to the Exchange server, and it is publicly accessible, I can test if that might be the issue.

There is a workaround that works in the majority of cases. See my comments here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1184488#c7

Quoting from that:

"In many cases there is a workaround available. Firefox addon "Disable DHE" works fine with Thunderbird, though you have to manually download and install it since the addon is only flagged as being usable for Firefox in AMO. Alternatively, all that addon does is set the value of these four preferences to false, and you can do that in the Config Editor:

security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.dhe_dss_aes_128_sha
security.ssl3.dhe_rsa_des_ede3_sha"

Try that workaround which works for most people (by forcing the Mozilla code to use a different cipher from the one that has the potential Logjam vulnerability).

0 comments

Please sign in to leave a comment.