Closed Bug 1584060 Opened 3 months ago Closed 2 months ago

Failure to download POP emails with Thunderbird 68.x at TB startup

Categories

(Thunderbird :: Untriaged, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1584861

People

(Reporter: mayhem30, Assigned: KaiE)

References

Details

(Keywords: regression)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362

Steps to reproduce:

I'm using Thunderbird v68.1.1 (32 Bit)

Enable "Check for new messages at startup" in Tools > Accounts > Server Settings

Actual results:

Mail accounts are not checked for new messages when Thunderbird is loaded.

Expected results:

Mail accounts should be checked for new messages when Thunderbird is loaded.

That's for POP, right? This was reported before. The reporter in bug 1577150 fixed it by using a new profile.

Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1583458

Yes, it for POP accounts.

Why do I need to create a new profile to fix this issue? That's a lot of work for my setup.

It was simply a suggestion. We don't know why this failure occurs, but one reporter didn't have the issue with a new profile. You could set one up just for testing. Messages should remain on the server for 14 days, so this shouldn't affect your production setup. As I said, I use pop myself and don't see this issue. You could also check for errors in the error console, Tools > Developer Tools > Error Console. Please don't paste more than 10 lines into a comment, if in doubt, attach a text file.

Creating a new profile does fix the issue, but is really not a solution for me.

This is what the error console shows on startup :

NS_ERROR_FAILURE: Couldn't decrypt string ---> crypto-SDR.js:203

throw Components.Exception( "Couldn't decrypt string", Cr.NS_ERROR_FAILURE );

This error does not show up on the newly created profile.

Aha, thanks for testing. So some "security thing" is going wrong in the old profile. If we can identify this better, I'm sure we can "correct" the profile somehow. Kai, do you have an idea of how to debug this further?

Flags: needinfo?(kaie)

Since we have more information here, I'll dupe bug 1583458 over here.

Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
See Also: → 1577150
Summary: Check for new messages at startup → Does not check e-mail at start for POP account

OK, crypto-SDR.js is linked to the password manager:
https://searchfox.org/mozilla-central/search?q=crypto-SDR.js&case=false&regexp=false&path=

So as an experiment, I suggest to remove/rename key3.db and key4.db from your profile. You'll have to enter all the passwords again, but that's the lesser evil if compared to creating the entire profile again.

Unfortunately, that only solved the error console issue. It's still not checking for new messages on startup.

What I've also tried :

  • I've disabled my 2 addons
  • Disabled/enabled "Check for new messages at startup" - restarting client after each change

Is there any last minute thing you would like me to check before I delete the my old profile?

I wasn't aware you could load multiple instances of Thunderbird, so I was able to switch over to a new profile quite easily. If anyone else is planning to do the same thing, I highly recommend reading the link below first to save time on the migration.

http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Thunderbird

The only files I migrated over was:

Mail : Mail directory
User Styles : Chrome directory
Address Books : abook.mab + history.mab files

Then load up 2 copies of Thunderbird using your old and new profile - and manually copy/set up your new profile.

Well, I could have suggested and even easier way ;-)

The accounts are configured in prefs.js. You could have just copied over everything starting with
user_pref("mail.identity.
user_pref("mail.server.
user_pref("mail.smtpserver.

Or in other words, you could have set up the new profile by running TB once to create an empty one, then copy over the files you said, plus prefs.js and then remove anything other than the prefs I mentioned. That should have given you a new workable profile.

There is also an add-on, "Import Export Tools NG" to do exporting and importing, but i don't know how good that is for transferring accounts to a fresh profile.

I'm surprised that the address books work by just copying the *mab files. It looks like they are also referenced in prefs.js.

And also you didn't mention the calendar data. That's in a directory "calendar-data" and also referenced in prefs.js.

Anyway, all that said: Please do not delete the old profile just yet. If you want to save space, delete Mail and global-messages-db.sqlite and ZIP up the rest just in case. At the very least you should conserve the prefs.js file.

I'd actually like to ask you to "diff" (compare) the old and the new prefs.js file. I'm pretty sure that you can find the offending configuration.

Or if you have more time: Run an instance on the "good" profile making sure all e-mail is downloaded, then remove stuff from the prefs.js in the "bad" profile, for example remove everything starting with
user_pref("calendar. (that's for calendar and will destroy linkage to the calendar data)
user_pref("datareporting.
user_pref("extensions.
user_pref("mailnews.
user_pref("messenger.account. (that's for chat)
user_pref("printer
user_pref("services.
user_pref("storage.
user_pref("toolkit.
Keep starting the TB on the bad profile to see whether it finally starts up getting mail. You should be able to see this in the status bar even if no e-mail is fetched.

If you can identify the issue, you'll do a great service to the TB project and all other users in the same situation.

Clearing NI for Kai since removing the security databases didn't actually solve the issue.

Flags: needinfo?(kaie)

Another option: Send the old and new prefs.js to me in a private message as attachments, perhaps renamed to .txt so they get past an overzealous firewall. The files don't contain passwords, but the do contain account/username information.

Please be aware that deleting key3.db will also delete private keys for any personal certificates the user might own, like those used for S/MIME email security, in additional to losing your saved password.

(In reply to Ken from comment #4)

This is what the error console shows on startup :

NS_ERROR_FAILURE: Couldn't decrypt string ---> crypto-SDR.js:203

This was shown only after you had deleted key3.db/key4.db, correct? If yes, that's expected.

Please let us know if you saw this error BEFORE you deleted files from your profile directory, that shouldn't happen.

I think it's a bit dangerous to recommend to delete that file.
I'd always remind people to:

  • make a backup of the files key3.db, key4.db, cert8,db, cert9.db, secmod.db, logins.*, prior to suggesting to delete files.

It's now a little late, because you probably have already started to enter new passwords into your new profile. But in general, when creating a new profile, and the profile is still fresh, it's fine to copy the above files from the old profile directory to the new profile directory, which would preserve your old keys and logins. (Always completely quit Thunderbird when copying/backing up files.)

Deleting the security databases solved the crypto-SDR.js issue, so that showed up before the deletion, see comment #9.

I in fact said "remove/rename" implying that there would be an option to restore those files.

Which version of Thunderbird did you use prior to using 68.1.1 ? Did you use a 60.x version?

If using saved passwords worked with 60.x, but after updating to 68.x you suddenly got the error from comment 4, that sounds bad. We need to understand why this happened.

The key to decrypting the saved logins is stored inside the files key3.db in older TB versions, or key4.db in newer TB versions. By default, the key can be used directly. Only if you setup a master password, decrypting the saved logins will require you to enter the master password.

Did you ever setup a master password?

There's another potential failure scenario, rarely a file operation fails, and the files key3.db/key4.db get corrupted. But if that file got corrupted, it should have failed with the older Thunderbird version, too.

Kai, the reporter said that removing the databases didn't solve the issue, see comment #9. So I'd rule out any security related issue impacting on message download and focus on checking the profile. The security issue is just a "side issue" (Nebenschauplatz), but I can understand that it interests you ;-)

(In reply to Jorg K (GMT+2) from comment #13)

Another option: Send the old and new prefs.js to me in a private message as attachments, perhaps renamed to .txt so they get past an overzealous firewall. The files don't contain passwords, but the do contain account/username information.

I don't see any private message options. Would you like me to email it to you?

(In reply to Kai Engert (:kaie:) from comment #18)

Which version of Thunderbird did you use prior to using 68.1.1 ? Did you use a 60.x version?

Yes, I was using a 60.x version before upgrading to 68.1.1 (via the built in upgrader).

Did you ever setup a master password?

No, I never setup a master password.

(In reply to Jorg K (GMT+2) from comment #22)

Yes, email.

Done.

I just noticed on my old profile that this error below still shows up if I manually click on the "Get Messages" button.

NS_ERROR_FAILURE: Couldn't decrypt string ---> crypto-SDR.js:203

It does not show up when:

  • TB is first loaded up
  • TB automatically checks for new messages every 1 minute.

This error does not show up at any time on my new profile.

That will get Kai interested. BTW, I received your prefs.js files but haven't had a chance to look at them.

Line 203 is reached if the stored encrypted data is bad (e.g. corrupted) or if the matching key for decryption cannot be found.

Maybe there is some sort of corruption, either inside your logins.js file, or in the key*.db file. Maybe the NSS library used by TB 60 was dealing with corruptions in a more lenient way, while the NSS library version used by TB 68 is more strict.

It's very difficult to diagnose this remotely, but I cannot ask you to give me your data files, it would allow me to read your passwords, and you shouldn't send the logins.js/key*.db files with regular email.

Ideally we'd need a tool that attempts to analyze the correctness of your files on your computer, and prints the results. I don't have such a tool that simulates Thunderbird's mode of operation.

I have two ideas, none of them are perfect.

First, you could try to use a decryption tool that attempts to uncover the stored passwords from a firefox profile, which will also work with a thunderbird profile. I found such a tool at https://github.com/lclevy/firepwd . If you're able to get this python tool running, and execute it on your profile directory, you could look at the dump it creates. It seems to dump a line with username and password for each saved entry. If some of the entries look broken, it would indicate you have a file corruption. On the other hand, even if the tool prints everything fine, we might still have a failure in NSS or TB at some higher level. (Use the tool at your own risk.)

Second idea is that we improve the error messages that are dumped on the error console. In addition to the failure, we could print the hostname that is related to the failed operation. This could tell us what TB is trying to decrypt. Also, it could tell us if TB is trying to decrypt multiple entries, or if always gives up after the first operation. We could also have info for successful operations.

I saw there is an existing preference. If you use the config editor to set preference signon.debug to true, you'll get some additional information on the error console. You'll see which stored entry it lookup up immediately before the failure. You could check if it will always display the same account just before the failure, for example, when you try to check mail for a specific account, or if it reports issues with multiple accounts.

This patch could be used on the TB 68.x branch to get some additional debug output (controlled by the same signon.debug preference).

Assignee: nobody → kaie

(Patch isn't really necessary. The existing code enabled with signon.debug should give us helpful information. I had worked on the patch, before I found that existing signon.debug pref.)

This is what the log shows for each account :

nsLoginManager: Searching for logins matching origin: mailbox://pop.domain.com formActionOrigin: httpRealm: mailbox://pop.domain.com LoginManager.jsm:426:9
Login storage: _searchLogins: returning 6 logins for
Object { hostname: "mailbox://pop.domain.com", httpRealm: "mailbox://pop.domain.com" }
with options
Object { schemeUpgrades: false }
storage-json.js:423:10
Login crypto: Failed to decrypt string: MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECO+8WEndxhYKBBBUDoASxoi8waD462B5LdES (NS_ERROR_FAILURE) crypto-SDR.js:187:12
Login crypto: Failed to decrypt string: MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECLP0oBOYHchZBBAc8CSxDa0ZguAqE7mEI/NW (NS_ERROR_FAILURE) crypto-SDR.js:187:12
Login crypto: Failed to decrypt string: MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECG4GG0X2JT49BBBpdNpSCLlKLtA6n0wIf8kr (NS_ERROR_FAILURE) crypto-SDR.js:187:12
Login crypto: Failed to decrypt string: MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPK5EsFAjFMMBBChVqQW8vB+IFKO9MC9FsO8 (NS_ERROR_FAILURE) crypto-SDR.js:187:12
Login storage: _findLogins: returning 2 logins storage-json.js:464:10
NS_ERROR_FAILURE: Couldn't decrypt string 4 crypto-SDR.js:203

try to use a decryption tool that attempts to uncover the stored passwords from a firefox profile

There are other tools like this, for example Nirsoft's: https://www.nirsoft.net/utils/passwordfox.html

There is definitely an issue with the password database.

The last 6 entries are just fine, but the first 12 accounts are just my accounts repeated twice - with garbled username / password entries.

https://i.imgur.com/AcUd1ym.png

If you have both broken and good entries, I gusss that means, at some point your key*.db file got corrupted, and probably a new, fresh key*.db file got created. Either that, or NSS created a new, fresh encryption/decryption key inside the existing key*.db file.

In both scenarios, the old key was lost and the old logins can no longer be accessed. New entries were added at the end.

It's still very confusing that the worked for you with Thunderbird 60.

If you execute the tool on your old profile, can you find any pair of two rows, where the first column refers to the same POP hostname, but one row is damaged and another one is working? (This is just a wild guess. Maybe the old version found a working line, while the new TB version found the broken line, then gave up.)

With Thunderbird 52, we were still using an older storage format for the key database. It still used key3.db. Starting with Thunderbird 60, we switched to a different format and filename key4.db.

If you had told us that it had worked with TB 52, but failed with TB 60, then it could have pointed us to a failed migration from key3 to key4.
But when going from TB 60 to TB 68, they key storage format wasn't changed.

If you had used older versions than TB 60 in the past, then you probably had both key3.db and key4.db files in your old profile directory.

If you have backups of your files, you could try to have only the key3.db, cert8.db and secmod.db files in your old profile directory, and move the files key4.db, cert9.db and pkcs11.txt away to a different folder, then try the password decryption tool again. Does it show the same list of good and broken entries, or are the sets reversed?

If you get different sets of good entries, then something went wrong with the migration from key3 to key4.

If you get the same set of good entries, then the problem was introduced at a later time. In that scenario, the only idea I have is that the key4.db is corrupted in a way that the older NSS from TB 60 accepted, but that the newer NSS from TB 68 rejects.

I started using Thunderbird when it was version 60.x - I only have key4.db in my profile folders.

I tried removing key4.db and cert9.db out of the directory and entered in the passwords when prompted, and still get the error message.

PasswordFox now shows 18 garbled entries. Which file(s) should I be deleting?

ok, thanks. When you started this last experiment, TB created fresh files. Move those new files key4, cert9, pkcs11 away, and copy those files from your backup back into the tb profile directory, that should restore the state from before the last expirement.

I've filed bug 1584851, to ask NSS developers if they can think of any changes between the relevant NSS versions that could potentially have such an effect.

See Also: → 1584851

Just a few more routine questions: Since you started to use that Thunderbird profile, did you ever experience a harddisk failure and kept your old files? Do you store your home directory (including the thunderbird profile directory) on a network filesystem?

No harddisk failures. Windows / All TB files resides on a local 256GB Samsung 850 Pro SSD.

I have the same problem and was referred to this bug report. Also POP3 (on Win7 64 bit). All of my mail accounts deliver the messages to a single Inbox in local folders. Also I have a new related problem. Under Local Folders I have created a Folder called Saved Items with numerous sub-folders. Just today when I open Thunderbird, instead of opening in InBox, it opens in the last of my sub folders under Saved Items.

Unfortunately I have trouble following the technical issues above. And with 9 mail accounts (and two news accounts) I am loathe to delete my profiles folder. Is there any hope that this will be corrected in future versions or has my profile been irreparably corrupted and I need to bite the bullet and delete the profile?

I wouldn't create a new profile just yet … that solution may fail for you down the road.

Everything was working for me until I moved the "Mail" folder from my old profile to my new profile, deleted the global-messages-db.sqlite file to rebuild the "global search and indexer" and my new profile no longer checks for new messages on startup.

No errors show up in the error log and enabling "signon.debug" shows all is well with the accounts.

Thank you. I'll hold on. But it is a bit annoying. I'm getting used to the process though.

  1. Open Thunderbird
  2. Go to Inbox
  3. Click on Load messages
  4. Click the arrow next to Saved Items to collapse list of sub folders
  5. Proceed to read and dispose of messages
Keywords: regression

Ken, can you please carify comment 41. Are you saying, TB 68 was initially working completely fine, and could correctly check all your POP accounts, and problems only started after you moved your Mail folder?

Thanks for asking, Kai, I was wondering the same. And while we're clarifying, I have some more questions:
So fetching e-mail at start-up doesn't work. Does the periodical fetch, "every XX minutes" work? And what about the manual fetch via the UI "Get message". It's hard to understand why only the first fetch wouldn't work.

Ken, I finally found some time to compare the "bad" and the "good" prefs.js. I suggest you install the free WinMerge program to check it out for yourself, you'll find that the new setup is missing some configuration. Apart from a few things you missed, as mentioned, I saw these differences:

The "bad" prefs have:
user_pref("mail.server.server2.applyToFlaggedMessages", false);
user_pref("mail.server.server2.cleanupBodies", false);
user_pref("mail.server.server2.daysToKeepBodies", 30);
user_pref("mail.server.server2.daysToKeepHdrs", 30);
I guess those are "normal", I have values like this in my own profile.

The next difference is:
user_pref("mail.server.server2.downloadByDate", false);
user_pref("mail.server.server2.downloadUnreadOnly", false);
And again, my own profile shows the same.

So I can't detect any anomaly here.

The next thing you can check is popstate.dat. That file lives in the Mail folder and is usually empty unless you leave messages on the server. Then it contains a list of messages that were already downloaded (I believe, so TB doesn't download them again). That just occurred to me since you said that moving your Mail folder broke things again.

It seems there might be multiple issues. Let's try to collect more details in individual bug reports, prior to deciding they are all the same issue and mixing them in here.

In all the other bugs, people have complained that automatic downloading fails in some scenarios, but manually downloading email still works. It sounds like there wasn't a problem with saved logins for those users.

This bug report here is the only one (until now) that mentions an issue with decrypting passwords. Clearly, failure to access saved passwords prevents downloading of emails permanently.

I suggest that we use this bug for "failure to download emails permanently because saved passwords cannot be accessed".

I suggest that we reopen rvj_43's bug 1584861 as a separate bug, described as "automatic download of emails fails, but manual download still works". I'll do that.

Summary: Does not check e-mail at start for POP account → Permanent failure to download POP emails with Thunderbird 68.x, because saved passwords cannot be accessed.

rvj_43: The issue with your special setup "saved folders" sounds unrelated. Could you please file a separate bug for that? (second part of comment 40, and comment 42)

Re comment 48. As requested opened new bug "Thunderbird Does Not Open in InBox " Bug #1584952

(In reply to Kai Engert (:kaie:) from comment #43)

Ken, can you please carify comment 41. Are you saying, TB 68 was initially working completely fine, and could correctly check all your POP accounts, and problems only started after you moved your Mail folder?

That is correct. I moved my mail folder and deleted the global-messages-db.sqlite file to build a new message index. When I started TB after that, it no longer checks for new message at startup.

(In reply to Jorg K (GMT+2) from comment #44)

Thanks for asking, Kai, I was wondering the same. And while we're clarifying, I have some more questions:
So fetching e-mail at start-up doesn't work. Does the periodical fetch, "every XX minutes" work? And what about the manual fetch via the UI "Get message". It's hard to understand why only the first fetch wouldn't work.

Yes, everything works - with no errors - except TB will not check for new messages at startup.

(In reply to Jorg K (GMT+2) from comment #46)

The next thing you can check is popstate.dat. That file lives in the Mail folder and is usually empty unless you leave messages on the server. Then it contains a list of messages that were already downloaded (I believe, so TB doesn't download them again). That just occurred to me since you said that moving your Mail folder broke things again.

The popstate.dat file does not exist in either of my profile folders. I have the "leave messages on server" option unchecked on all accounts.

Ken, you said you removed files from your profile.
Is it possible that you had (accidentally) deleted the key4.db file, too?

The removal of that file would explain the behavior you're seeing, no longer being able to decrypt old saved logins.

(In reply to Kai Engert (:kaie:) from comment #52)

Ken, you said you removed files from your profile.
Is it possible that you had (accidentally) deleted the key4.db file, too?

The removal of that file would explain the behavior you're seeing, no longer being able to decrypt old saved logins.

No, that file still has a created / last modified date of September 25th. The only files I deleted was the mail directory and the global-messages-db.sqlite file. Then I moved the mail folder from old profile to the new profile (TB auto created a new messages-db file).

No errors are showing up whatsoever in error console + "signon.debug" shows all mail accounts without issues.

Ken, when you first experienced this bug, that mail was not downloaded at startup - were you still able to download email manually? Did Thunderbird still have the passwords for all your accounts remembered?

I have solved the problem!

After a couple of days of messing with the prefs.js file, the line that is causing all the headaches is :

user_pref("mail.accountmanager.defaultaccount", "account2");

Both of my profiles (in the prefs.js file) have that set to "account2". All I did was change it to "account1" and both profiles are now checking for messages at startup.

If I change that variable back to "account2", the functionality breaks again and no longer works.

Here is more information on the fix :

My "account2" on both profiles is "localfoldersserver".

user_pref("mail.account.account2.server", "server2");
user_pref("mail.accountmanager.localfoldersserver", "server2");

My mail accounts are account1, account3 and account4.

Changing "mail.accountmanager.defaultaccount" to account1, account3 or account4 solves the issue.

It only stop working if I change the above line to "account2".

Yes, account 2 is the "local folder account".

Since Kai moved all the duplicates to the other bug and you filed this bug, I'll close this now since this bug has become too confusing. I'll file a new bug so we can look at the issue.

Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago2 months ago
Resolution: --- → WORKSFORME

I filed bug 1585469. Note that "Local Folders" cannot be set as default account in the UI.

Actually, I'll reshuffle this to bug 1584861 now.

Kai, if you still want to pursue the key DB issues, I think we should do it elsewhere.

Resolution: WORKSFORME → DUPLICATE
Summary: Permanent failure to download POP emails with Thunderbird 68.x, because saved passwords cannot be accessed. → Failure to download POP emails with Thunderbird 68.x at TB startup
Duplicate of bug: 1584861
You need to log in before you can comment on or make changes to this bug.