Tails

#1 Updated by sajolida 2016-01-14 11:05:53

I tried once through riseup and it worked. I have:

• StartTLS to imap.riseup.net:143.
• StartTLS to smtp.riseup.net:465.

Did you try changing circuit when this happens?

#3 Updated by goupille 2016-01-15 21:33:00

I just tried using startTLS, port 465 and boum.org, and the sending failed again. changing circuit sometimes make it possible to send emails, but sometime it is not sufficient. I don’t understand why it would work or not, I don’t think that it is “just” a blacklisted exit node.

there are at least three users affected by that issue so I think it is confirmed.

#4 Updated by Anonymous 2016-01-16 10:52:02

I don’t have an account on either of those servers, maybe someone else can test this?

Can you please check Menu -> Tools -> Error Console and report back what you have there?

#5 Updated by goupille 2016-01-16 11:08:19

this is the error showing up in the console when sending a mail fails (Tails 2.0~rc1):

Horodatage : 16/01/2016 11:02:34
Erreur : NS_ERROR_UNEXPECTED: Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIMsgMailNewsUrl.server]
Fichier Source : resource:///modules/activity/alertHook.js
Ligne : 48

#7 Updated by sajolida 2016-01-16 15:56:31

u: we have the test accounts tails@riseup.net and tails-dev@riseup.net. The password are in the internal keyringer so you have access to this.

#9 Updated by Anonymous 2016-01-20 12:19:19

There seem to be bug reports related to this and everytime it turns out that either the firewall would block the corresponding ports (that would probably not be the case in Tails, as we only send over Tor), or the provider would block ports or not resolve DNS correctly (that could be the case for some exit nodes).

https://bugzilla.mozilla.org/show_bug.cgi?id=556727
https://bugzilla.mozilla.org/show_bug.cgi?id=713478
https://forum.ubuntuusers.de/topic/smtp-thunderbird-problem/

#12 Updated by goupille 2016-05-30 15:32:43

since I upgraded to 2.4~rc1, the problem is back again (with boum.org) and a user reported the issue with riseup.net (and tails 2.4~rc1)

#16 Updated by goupille 2016-06-01 15:00:16

I could not find anything in tails-debugging-info either…
also, it seems that this issue is reported only on test releases

#18 Updated by goupille 2016-06-06 13:49:24

we never find out why this happened in Tails 2.0~rc1… in my case, the issue was resolved after upgrading to 2.0. were those patches involved at that time ? could it be related to the “rc status” of those releases (it’s the only two I had tested) ?

your workaround does not work for me, I did not find anything else than storing my mails in a “send later” queue and try to send them from time to time… some times it works for a few minutes every other hour, some times I spend days waiting for it…

#20 Updated by anonym 2016-06-07 06:37:32

I do consistently see the error when trying to use Riseup’s SMTP onion service, zsolxunfmbfuq7wf.onion, both with SSL and STARTTLS. In the error console I see:

Timestamp: 06/07/2016 01:24:28 PM
Error: zsolxunfmbfuq7wf.onion:587 uses an invalid security certificate.

The certificate is only valid for the following names:
  *.riseup.net, riseup.net  

Again, clearnet works completely without error for me, again, despite trying 5 emails (restarting icedove in between + forcing a new tor circuit).

#21 Updated by goupille 2016-06-08 13:34:18

I upgraded to 2.4 and tried to send a mail with boum.org stmp, using STARTTLS (port 587)

the first sending failed, the second and the third worked.

I restarted icedove, tried again, and got four failed sending in a row…

#22 Updated by anonym 2016-06-08 16:31:25

goupille wrote:
> I upgraded to 2.4 and tried to send a mail with boum.org stmp, using STARTTLS (port 587)
>
> the first sending failed, the second and the third worked.
>
> I restarted icedove, tried again, and got four failed sending in a row…

The random nature of the error suggests it’s related to the connection (i.e. circuit quality, bad exits) but let’s not rule anything out. Can you please try to reproduce this error with Debian’s current icedove package in Jessie:

sudo apt update
sudo apt install icedove/jessie

Make sure you still use STARTTLS or SSL. Do you still get the error then?

#23 Updated by goupille 2016-06-09 05:09:19

on a Tails 2.4 (in a VM), with a riseup account, STARTTLS or SSL and the Icedove shipped with Tails I reproduced the error. I rebooted the VM, installed icedove/jessie, configured it with STARTTLS and could send 5 mails in 15 minutes without any errors. it works also with SSL with no errors.

#25 Updated by Kurtis 2016-06-14 16:41:36

This ticket was just mentioned here: https://labs.riseup.net/code/issues/11530

Seems like if Icedove is updated properly, it might fix this problem.

#26 Updated by segfault 2016-06-15 09:36:47

I just upgraded to 2.4 and now I am experiencing this issue too. I also see this same error message in the error console, but only with STARTTLS:

> Timestamp: 06/07/2016 01:24:28 PM
> Error: zsolxunfmbfuq7wf.onion:587 uses an invalid security certificate.
>
> The certificate is only valid for the following names:
> *.riseup.net, riseup.net

With SSL/TLS, the sending still fails but without error message in the console.

My workaround is using smtp.riseup.net until we find a fix for this.

#27 Updated by segfault 2016-06-15 12:27:23

I just got this “The message could not be sent using Outgoing server (SMTP) mail.riseup.net for an unknown reason.” message with the smtp.riseup.net and mail.riseup.net servers. I tried both SSL/TLS and STARTSSL. It didn’t log to the error console. Repeatedly trying to send it always failed. According to onioncircuits, the connection to mail.riseup.net:587 was build up successfully and then closed. Only when I restarted Tor to enforce of a new circuit, it worked.

#28 Updated by micah 2016-06-22 14:03:50

I’m going to guess that the problem has to do with more strict libraries when it comes to tls related connections causing what used to not be a problem to start being a problem.

Maybe what we need to do at riseup is to setup non-encrypted ports that are only available for onion addresses, in the same way that we setup unencrypted http for onion traffic. That way the cert warning will go away, and probably will make this problem go away?

#30 Updated by goupille 2016-06-24 04:52:26

actually, I tested it again today with a boum.org account and it doesn’t work (no error with riseup, so far)…

#31 Updated by anonym 2016-06-24 05:20:47

goupille wrote:
> actually, I tested it again today with a boum.org account and it doesn’t work (no error with riseup, so far)…

Would you still say that the ISO I pointed to works better than in Tails 2.4 and older?

Can you please post the exact configuration you use?

Do you remember if you ever had to accept a (supposedly) invalid SSL certificate?

Next time you have issues, can you please try:

1. shutdown icedove
2. force Tor to use new circuits (this is easiest done withe Tor Button’s “New Identity” feature in Tor Browser)
3. start icedove and try again
4. on failure repeat above steps a couple more times and see if things improve

Really, if not too inconvenient, can you wipe your persistent ~/.icedove and set it up again from scratch?

#32 Updated by goupille 2016-06-24 09:32:25

anonym wrote:

> Would you still say that the ISO I pointed to works better than in Tails 2.4 and older?

yes, it seems to work better : I testing again with boum and riseup since almost one hour and couldn’t reproduce the error…

> Can you please post the exact configuration you use?

like during all the tests I made, I started the iso in a VM, without persistence. I accepted the default configuration Icedove proposed me, so IMAP and SSL for riseup and IMAP and STARTTLS for boum.

> Do you remember if you ever had to accept a (supposedly) invalid SSL certificate?

I was never asked to accept or not a certificate

> Next time you have issues, can you please try:
> # shutdown icedove
> # force Tor to use new circuits (this is easiest done withe Tor Button’s “New Identity” feature in Tor Browser)
> # start icedove and try again
> # on failure repeat above steps a couple more times and see if things improve

I do that from time to time, sometimes it works some times not, so I never saw it as a workaround…

> Really, if not too inconvenient, can you wipe your persistent ~/.icedove and set it up again from scratch?

I would prefer to avoid that

#33 Updated by Kurtis 2016-07-02 22:19:44

Can anyone confirm that http://yfm6sdhnfbulplsw.onion/code/issues/11530 fixes this issue? Someone on that ticket claimed that it might improve this smtp situation we’re having.

#34 Updated by Kurtis 2016-07-04 23:50:10

It seems like this riseup smtp issue is getting worse as time goes on. I email a lot and my frequency of an unknown error coming up when i try to use mail.riseup.net as my SMTP server in IceDove is going way up and I regularly toggle between STARTTLS and TLS. I pretty much can’t use my main email provider with my main email client anymore, and I have to use the web client instead. Is there anyone that can confirm that http://yfm6sdhnfbulplsw.onion/code/issues/11530 will fix this issue in the next release? Is there an iso I can download with this fixed before the August Tails release comes around?

#35 Updated by goupille 2016-07-05 03:06:23

Kurtis wrote:
> Can anyone confirm that http://yfm6sdhnfbulplsw.onion/code/issues/11530 fixes this issue?

you could try the testing iso provided by anonym (comment 24) and see if it corrects the issue for you, then report back here…

cheers.

#36 Updated by bertagaz 2016-07-05 05:38:37

goupille wrote:
> Kurtis wrote:
> > Can anyone confirm that http://yfm6sdhnfbulplsw.onion/code/issues/11530 fixes this issue?
>
> you could try the testing iso provided by anonym (comment 24) and see if it corrects the issue for you, then report back here…

I tested with an ISO build on stable with Icedove 1:45.1.0-1~deb8u1+tails1 (so the same than the proposed ISO in comment 24 mostly) and confirm it works better now. Sending emails from riseup doesn’t seem to be an issue anymore with this ISO. \o/

#38 Updated by alant 2016-07-14 07:39:47

I confirm that installing iecdove 1:45.1.0-1~deb8u1 fixes the issue for me.

#39 Updated by Kurtis 2016-07-14 16:26:07

I complained a fair bit in here about this too intigeri. I got the current Tails nightly build 2.4.1 - 20160712 as anonym and goupille suggested and my Riseup emails are now sending via their SMTP Onion address like a charm. Thanks to everyone for the help!

#40 Updated by boneto 2016-07-15 02:06:40

I had also problems with riseup and Icedove, and it’s now fixed by updating icedove :

sudo apt update
sudo apt install icedove/jessie

(I’m using SMTP with the default configuration, except the SMTP server that I changed to “mail.riseup.net”)

Thanks!

#41 Updated by Anonymous 2016-07-15 03:15:50

boneto wrote:
> I had also problems with riseup and Icedove, and it’s now fixed by updating icedove :
>
> […]
>
> (I’m using SMTP with the default configuration, except the SMTP server that I changed to “mail.riseup.net”)

FYI, the Icedove from Debian does not have the SSL patches we ship in Tails. In case you’ve already set up your account, this should not have much impact and traffic should still go through Tor, at the correctly preconfigured port.

#42 Updated by mercedes508 2016-07-15 05:11:13

I just tried during a frontdesk session to use icedove/jessie (in Tails 2.4) and it worked just fine, zero error. Using a riseup email in Icedove configured in POP.

#43 Updated by intrigeri 2016-07-21 06:34:52

OK, thanks everyone for testing Icedove 45.1 from Debian Jessie. I’m glad it seems to fix the problem for you! But we still need more info: please also test our modified Icedove 45.1 (that’s available in any recent nightly built ISO image, such as http://nightly.tails.boum.org/build_Tails_ISO_stable/lastSuccessful/archive/build-artifacts/) and report back if it fixes the problem as well. Then we’ll know is this problem is already fixed for 2.5, or if more work is needed. Thanks in advance!