Under Account Settings End-to-End Encryption has been configured. On sending a mail a dialog with title "Send Message Error" appears.
This thread is the English version of the thread "[SOLVED] Senden der Nachricht ist fehlgeschlagen: Sie haben ausgewählt, diese Nachricht digital zu unterschreiben, aber...". The supplied screenshots show Thunderbird front-end with German localization settings.
Description of the problem:
The dialog shows the following message:
Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired.
The user can close the windows by confirmation via "OK" button or with the close button from window decorations.
Unfortunately, the error message does not reveal the detailed criterion why the pre-configured certificate cannot be used to sign the message.
It would be desirable for Thunderbird mail client to check all prerequisites already on the selection of the certificate in the Account Settings.
Under Account Settings - End-to-End Encryption - S/MIME the user can configure the user certificate by clicking on "Select..." button next to the input fields "Personal certificate for digital signing" and "Personal certificate for encryption".
In my case exactly one certificate can be selected: "Importiertes Zertifikat #4 [00:B0:...]".
On confirmation of the "Select Certificate" window the field is filled with "<certificate name> [<serial number of cert.>]".
After the above error has occurred there is no serial number specified with the input fields "Personal certificate for digital signing" and "Personal certificate for encryption". However, the user can repeat the certificate selection as described above.
By clicking on "Manage S/MIME Certificates" the user can open the "Certificate Manager".
By default the windows takes about half the height and half the width of the display. To show complete column values and user-friendly navigation in the "Authorities" tab the user can resize the windows using the handler in the bottom right corner. In the "Your certificates" tab the user can check the expiration date of the user certificate. A click on "View..." reveals the certificate details.
In my case the reason for the error was that the corresponding certificate of the root CA was missing. The error message also occurs if "This certificate can identify mail users." from CA certificate trust settings has not been enabled.
If those requirements are met the signing CA certificates will be displayed with the user certificate details. If that is not the case there is no information on the incomplete or invalid certificate chain.
1. Currently "Certificate Manager" is displayed as an overlaying window (pop-up window). I propose to move this information to a separate tab "Certificate Manager" in Thunderbird.
2. In order to enable users to easily locate errors with S/MIME certificates Thunderbird may provide a filter within "Select Certificate" window. By default all necessary criteria would be enabled but the user can disabled certain criteria. By this it should be possible to gradually expand the list of certificates from NSS certificate database (see image attached).
Certificates not matching all of the required should be display with gray color. If the user selects such a non-valid certificate "OK" button should be disabled (greyed out).
Thunderbird version: 78.12.0 (32-Bit)
operation system: Windows 10 Home, Version 20H2, Build 19042.985
mail account protocol: IMAP
mail provider: office365.com
Antivirus: Microsoft Viren- & Bedrohungsschutz (native from os)
Firewall: native from os