I have been using K9 Mail for many years without any problems. All of a sudden (perhaps after the latest update to 16.1) the connection to one of the used outgoing mail servers does no longer work due to a certificate problem.
Trying to repeat the outgoing server setup without changing anything I get a message that the app has detected a potential security threat and did not connect to the server for this reason. Clicking on the button for extended information it just displays some fields of the server certificate which all look OK. The cert name matches the domain and it is still valid. I get no information concerning the certificate chain or the validity of the root certificate. Also Thunderbird (without any changes for months) and some online TLS check tools did not show any problem.
I think it is essential to get the cause for a rejection as I can see no further possibility to diagnose this problem, also it might make finding a bug much easier. How can I find out what went wrong and get the cause of the rejection?
I still sometimes get the same message with 18.0, other clients work just fine.
I get the message (manually typed here):
Warniung Certificate error
The app detected a potential security threat and did not continue to connect to xxx.yyy.de.
If you continue, attackers could try to steal information like your password or emails.
Checking the certificate chain in the browser on my PC it validates OK. Checking the trust store on my Android 14 phone (Samsung Galaxy A52s 5G) I cannot find the root CA in the trust store.
The root CA is “Sectigo Public Server Authentication Root R46” which is quite new.
So I have 3 questions:
Does K9 Mail use the trusted CAs from Android and not the list from Mozilla? That would mean running K9 on older Phones will as soon as the mail provider renews the root CA. If K9 Mail uses it’s own root CA store, how can I check it?
What would be the best solution? If the CAs are from Android I could manually add it there?
The warning should have mentioned that an untrusted root CA is the cause and the certificate store that is used. Where can I create a ticket for that?