Closed Bug 1592258 (Owl-O365) Opened 5 years ago Closed 5 years ago

autoconfig offers Exchange (and selects it by default!) even if standard protocols IMAP/SMTP setup is found and available (Office 365)

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(thunderbird_esr68 fixed, thunderbird72 fixed, thunderbird73 fixed)

Status:
VERIFIED FIXED
Milestone:
Thunderbird 73.0
Tracking Flags:
Tracking Status
thunderbird_esr68 --- fixed
thunderbird72 --- fixed
thunderbird73 --- fixed

People

(Reporter: mkmelin, Assigned: BenB)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files, 23 obsolete files)

Screencast of wrong and correct password, for both test accounts
181.90 KB, video/mp4
Details
ben-office365-try-imap-1592258-10.diff
4.85 KB, patch
mkmelin
: review+
mkmelin
: approval-comm-beta+
mkmelin
: approval-comm-esr68+
Details | Diff | Splinter Review

Bug 1571772 apparently changed how the autoconfig works wrt. offering Exchange and thus promoting the Owl add-on.

Now, even if IMAP and SMTP setups are found, the autoconfig will list Exchange as an option and select that by default. This is clearly not how this was supposed to be handled, and not how the flow was agreed to be handled when we discussed Owl integration points last year. We're not interested in listing a proprietary protocol that requires a commercial add-on to be installed, and certainly not interested in having it be the default. Exchange support should only be listed as a last resort, if no other means of connecting are available.

Besides obvious problems from setting unsuspecting users to use a proprietary protocol with unknown future support, it is also confusing to users that didn't realize they had no reason to buy an add-on to get their mails, and then Thunderbird still asked for a donation as the application download page. (A complaint in this regard is what lead me to discover this bug.) => Bad rep for Thunderbird.

STR: try to set up an @outlook.com address. You'll get set up to use Exchange as default.

The fact that this change was implemented + reviewed by the two people working the Owl add-on certainly doesn't make this any prettier! :(

I'm rather disappointed by this report. I see Neil and Ben work together and I always assumed they had enough peer status for that to be OK. I guess in the future everything will need to be reviewed by a "real" peer. So how do we fix this? Is there a quick fix we can ship in 68.2.1 soon or should we backout the function at least from the ESR?

Attached image account creation.png (obsolete) —

Also, there was no attention paid to detail. This dialogue comes up and it is too small and the buttons are cut off :-(

Attached patch bug1571772_exchange-backut.patch (obsolete) — Splinter Review

Backout patch.

Comment on attachment 9105396 [details] [diff] [review] bug1571772_exchange-backut.patch Review of attachment 9105396 [details] [diff] [review]: ----------------------------------------------------------------- Sent to try now: https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=19fcaf2b0382a81d171c7a9403277e15586e7882
Attachment #9105396 - Flags: review?(jorgk)
Status: NEW → ASSIGNED

Hmm, yes, backing out 2f10eda9d3a70a2d15a19ce80a066c7e7a0e3459 from bug 1592258 failed miserably. Just keep in mind that backing this out will only reach ~8% of TB users. The function is also in TB 60.9.

Wouldn't it be easier to just set the option to IMAP instead?

Comment on attachment 9105396 [details] [diff] [review] bug1571772_exchange-backut.patch Looks OK, I compared all the hunks.
Attachment #9105396 - Flags: review?(jorgk) → review+
Comment on attachment 9105396 [details] [diff] [review] bug1571772_exchange-backut.patch BenB review rejected. Do not land this. I'll explain more in a moment
Attachment #9105396 - Flags: review-

Exchange support should only be listed as a last resort, if no other means of connecting are available.

I certainly think that POP3 is an inferior protocol, nevertheless we still offer it, and people still choose it. Likewise, if we know that this is an Exchange server, and Owl is specifically written to support Exchange (and works etc.), then I see no reason why it should be hidden from the user. Exchange support should always be available. Why refuse an available option to the user that works really well?

I know that you, Magnus, are not personally affected, but if you had an Office365 email account in a large company, you probably would be. A large percentage of Office365 users cannot use IMAP anymore. Their companies are forcing MFA (multi-factor authentication) and are actively disabling "legacy protocols" (which is what Microsoft calls IMAP, POP3 and SMTP), because they are password based. Everybody is blogging and writing about how MFA helps security and it should really be used. More and more users are writing to our support that they are in this situation. It appears this has been rapidly increasing even in the last 2 months. Just in the last few weeks, I see more and more people reporting that in our support requests. A large percentage of Office365 are simply locked out of IMAP.

Microsoft is actively trying to lock out password-based protocols in favor of what they call "Modern Authentication" and MFA. You can expect this percentage of users to rapidly increase soon.

In the autoconfig dialog, we have no good way to know whether people are in this situation that they need MFA. Owl has specific support for it, but this is very Office365-specific and works only for Office365. Additionally, Thunderbird doesn't communicate the real reason why an IMAP login failed, and just says "Password wrong". This is very bad. Most end users will just try other passwords and give up frustrated, and will not know that it fails due to MFA. Selecting Exchange makes the configuration work by default, and still allows users to choose another protocol, if they like.

It is selected by default also for another reason: We can offer much tighter support with Office365 than standard protocols do. We integrate with the address book and the calendar (EWS now, OWA in the coming weeks). For many users, the calendar is really important, and they keep asking about it.

r-, because this will break configurations that work now and will not work anymore after this backout.

Furthermore, this patch improved the code, as described in bug 1571772, where it landed. You can also see in that bug that there was a real review with a real discussion.

It even was mentioned in the release notes, and was covered by many news articles (!) in several countries as the primary improvement of that particular release, and the press mentioned it in a positive way as an improvement.

I understand now that you're against it for philosophical reasons, but if you take the facts of how the general userbase (with that I mean the average Thunderbird user) and the press and news articles received it, it was overwhelmingly positive. I've received many letters of thanks for Owl, too.

Ripping that feature out again now, or even removing it from being the default, would be a regression. That would be bad PR. It would make no sense, given that the feature was received well.

The fact that @outlook.com addresses also default to Exchange is not intentional, but a consequence of the Microsoft server setup. They have the same MX server (which Thunderbird bases on) and look the same to Thunderbird. They also work in Owl, but you're right that these users could just as well use IMAP. I think for all outlook.com users, IMAP is enabled.

As a constructive proposal, what we could do is try to differentiate between outlook.com - which typically works with IMAP, and default that to IMAP -, and Office365 (the corporate cloud email addresses) - which often require MFA and will simply not work with IMAP, but will work with Owl, and default the latter to Owl. We could come up with a patch that does this.

@Magnus: Is comment 10 a fair proposal? If you agree, we will take this bug and create a patch.

Sounds good to me. The backout is not a viable option and I'm quite convinced that not offering IMAP for Office365 also makes sense. Users who don't want to buy the add-on can click IMAP and see how they go.

Bonus points for improving the "Password wrong" message when IMAP fails due to MFA.

And more bonus points for making the dialogue big enough ;-)

(In reply to Ben Bucksch (:BenB) from comment #8)

I certainly think that POP3 is an inferior protocol, nevertheless we still offer it, and people still choose it. Likewise, if we know that this is an Exchange server, and Owl is specifically written to support Exchange (and works etc.), then I see no reason why it should be hidden from the user. Exchange support should always be available. Why refuse an available option to the user that works really well?

POP3 has a different use case than IMAP. People can have good reasons to choose it (e.g. not wanting to leave anything on the server to be snooped, or due to storage limitations).

I'm not trying to "refuse an option that works really well". As you're very well aware, what we agreed upon back then is that Exchange would be shown when there were no standard compliant options available. I think you'd have severe difficulties convincing users that they have to pay Beonex 10€/year to access their email, when they could have been doing it all for free, with less hazzle, and is way more future proof.

I know that you, Magnus, are not personally affected, but if you had an Office365 email account in a large company, you probably would be. A large percentage of Office365 users cannot use IMAP anymore. Their companies are forcing MFA (multi-factor authentication) and are actively disabling "legacy protocols" (which is what Microsoft calls IMAP, POP3 and SMTP), because they are password based. Everybody is blogging and writing about how MFA helps security and it should really be used. More and more users are writing to our support that they are in this situation. It appears this has been rapidly increasing even in the last 2 months. Just in the last few weeks, I see more and more people reporting that in our support requests. A large percentage of Office365 are simply locked out of IMAP.

You're making a lot of assumptions about me and also about what what users want or not. Surely if they really need Exchange support they can install Owl and get that.

Microsoft is actively trying to lock out password-based protocols in favor of what they call "Modern Authentication" and MFA. You can expect this percentage of users to rapidly increase soon.

FYI for O365, the IMAP and POP MFA support is in the works.

In the autoconfig dialog, we have no good way to know whether people are in this situation that they need MFA. Owl has specific support for it, but this is very Office365-specific and works only for Office365. Additionally, Thunderbird doesn't communicate the real reason why an IMAP login failed, and just says "Password wrong". This is very bad. Most end users will just try other passwords and give up frustrated, and will not know that it fails due to MFA.

At that point, if Exchange was available, AND the normal IMAP/POP auth failed: that would be the appropriate place to advertise this alternative.

Selecting Exchange makes the configuration work by default, and still allows users to choose another protocol, if they like.

It's seems just as likely (or more so) that the standard IMAP set up would work by default. You're also dismissing that users have to pay to use you Exchange supporting add-ons, which is a rather big deal for the average user.

At the end of the day, I think you're assumptions are very biased. You want Owl to be advertised as widely as possible to make business as lucrative as possible. We get it. But its the unsuspecting Thunderbird users you are paying and who would like Thunderbird to do what's best for them.

@Magnus: What about contacts and calendar? T hunderbird has 0 support for that right now. Owl supports some contacts and calendar out of the box with no configuration. (Calendar to be released as default in the coming weeks.)

pay Beonex 10€/year to access their email, when they could have been doing it all for free, with less hazzle, and is way more future proof.

That's not the what we're trying here. Like I said, that we show Owl for outlook.com was not intentional, and we'd fix that.

if Exchange was available, AND the normal IMAP/POP auth failed: that would be the appropriate place to advertise this alternative.

That's a reasonable proposal, but it will be difficult to implement, given the flow. What I don't want to do is offer an option to the user, have him confirm it, just to then tell him a second later that it's not available after all. That's bad UI.

What about my other proposal, to differentiate based on the domain, i.e. outlook.com/live/hotmail personal accounts vs. Office365 accounts? The latter are highly likely to want Owl, due to MFA, calendar, contacts etc..

differentiate based on the domain

Andrew Sutherland has proposed the same in bug 1185366.

This patch differentiates between Outlook.com/Hotmail personal accounts and Office365 business accounts.
This allows us to deliver different configs for both types of accounts. Given that they have different properties (e.g. outlook.com doesn't even support OAuth2), this makes sense to do even independent of the bug here. It will also help in other situations, see e.g. bug 1185366.

This is with the knowledge that all outlook.com accounts support IMAP with password-based authentication, and many Office365 domains do not even have IMAP enabled. For them, even IMAP with OAuth2 will not work. Furthermore, many Office365 users need the calendar, personal address book, and global company address book from the same server, for collaboration with their colleagues in the same domain.

Assignee: mkmelin+mozilla → ben.bucksch
Attachment #9105396 - Attachment is obsolete: true
Attachment #9105650 - Flags: review?(mkmelin+mozilla)
  • If the domain is outlook.com, hotmail.fi or another known Hotmail domains, we will find that config directly in the ISPDB, and the MX code path won't be used at all. ISPDB will deliver a config that makes IMAP the default.
  • For unknown Hotmail domains, we will use MX *.olc.protection.outlook.com, which also points to the Hotmail configuration
  • If the domain is an Office365 domain (you can test with somebody@beonex.onmicrosoft.com), the MX will point to example.mail.protection.outlook.com. The direct ISPDB lookup for beonex.onmicrosoft.com will fail, and we will fall into MX lookup. We make 2 parallel lookups, for mail.protection.outlook.com and outlook.com, and give precedence to the mail.protection.outlook.com lookup (even if it arrives later). It will point to the Office365 configuration, which makes Exchange the default.
Attachment #9105650 - Attachment is obsolete: true
Attachment #9105650 - Flags: review?(mkmelin+mozilla)
Attachment #9105671 - Flags: review?(mkmelin+mozilla)

To state it clearly: That Owl was pre-selected for outlook.com/Hotmail was not intentional. It was a mistake, and I'm sorry about that. It was a side effect of the MX hostname setup of Microsoft. This patch fixes that.

Comment on attachment 9105671 [details] [diff] [review] Differentiate based on domain, v2 Review of attachment 9105671 [details] [diff] [review]: ----------------------------------------------------------------- This doesn't really fix this bug. Maybe something in this direction is needed in bug 1185366.
Attachment #9105671 - Flags: review?(mkmelin+mozilla) → review-
Attached patch bug1592258_exchange-fix.patch (obsolete) — Splinter Review

Like discussed above, we should only show exchange when
A) it was the only choice we found
B) IMAP/POP3 was chosen but authentication failed (and we knew of an exchange option too)

Clean try: https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=5165c1d4d8e861012128fb32d863951c90e63f12

Assignee: ben.bucksch → mkmelin+mozilla
Attachment #9106331 - Flags: review?(jorgk)
Comment on attachment 9106331 [details] [diff] [review] bug1592258_exchange-fix.patch Looks reasonable by code inspection. I wasn't involved in the original bug 1500105 at all, so I've never tested any of this. Somehow Ben's patch doesn't fix the issue, I tried mickeymouse@outlook.com and got offered Exchange as default. I'd say it'd we fair to let Ben check this patch himself. He needs to make sure that servers that really need Exchange offer it properly. Otherwise please get Aceman who did a lot of testing in the original bug.
Attachment #9106331 - Flags: review?(jorgk)
Attachment #9106331 - Flags: review?(ben.bucksch)
Attachment #9106331 - Flags: feedback+

I tried mickeymouse@outlook.com and got offered Exchange as default.

Did you also apply the pref change and re-compile mailnews/ ? If not, that's why.

Comment on attachment 9106331 [details] [diff] [review] bug1592258_exchange-fix.patch We shouldn't keep these flags everywhere. That leads to bugs. I see another way how to do that. I'll attach a new patch.
Attachment #9106331 - Flags: review?(ben.bucksch) → review-

(In reply to Ben Bucksch (:BenB) from comment #24)

I tried mickeymouse@outlook.com and got offered Exchange as default.

Did you also apply the pref change and re-compile mailnews/ ? If not, that's why.

No. I don't see how that's relevant. That pref change won't be shipped, so what we ships will show the behaviour we're trying to fix.

@Jörg: The "Differentiate based on domain, v2" patch differentiates between outlook.com and Office365, and uses different configs for both, because they are different offers with very different properties. The current ISPDB doesn't have the new config and uses the same for both. The test ISPDB server already has the configs that we would add to ISPDB.

@Magnus: I'll make another patch.

Oops, the penny dropped. So why not push this to the official ISPDB first. Why do you need a new patch if the current one already works assuming it is fed the correct data? That was the only complaint from Magnus (quote): This doesn't really fix this bug.

So why not push this to the official ISPDB first.

Because the patch was rejected :-) . Changing the ISPDB would only make sense, if this patch is accepted and shipped.

Why do you need a new patch if the current one already works assuming it is fed the correct data? That was the only complaint from Magnus (quote): This doesn't really fix this bug.

From how I understood Magnus, he was opposed to the idea of the approach, not the fact that he tried my patch and it failed. Magnus is dead-set on attempting IMAP first, even if this fails in most cases and also gives sub-par user experience (no calendar etc.pp.).

A misunderstanding? When I last spoke to Magnus he told me that the patch didn't work without the pref change to your server. At least I didn't realise what the background was. I think anything that fixes the bug and selects IMAP for outlook.com should be fine. Surely Magnus can speak for himself, but all the information I have is "doesn't work" (see comment #21). I see that you have attached your patch to bug 1185366. So do I see it correctly that if we fix that other bug, this one here becomes WFM? (Maybe I'm all wrong.)

(In reply to Ben Bucksch (:BenB) from comment #25)

We shouldn't keep these flags everywhere. That leads to bugs.

I don't see how.

Anyway, we should fix it this way and not try to rely on ispdb changes. It's very possible there are cases where we just probe instead and find multiple alternatives.

Attachment #9106331 - Flags: review- → review?(acelists)
Attachment #9105671 - Attachment is obsolete: true
Comment on attachment 9106331 [details] [diff] [review] bug1592258_exchange-fix.patch Like I said, this patch is not good. I have a patch coming. I already finished almost, I just need to check something. I will attach it tomorrow.
Attachment #9106331 - Flags: review?(acelists) → review-

You don't like it because it doesn't advertise exchange as much as you'd like. That doesn't make the patch "not good" (to which you've given no qualifications). There's really no need for another patch. In comment 15 you even said it's reasonable, but now you back down just because there's a patch to achieve it?

Attachment #9106331 - Flags: review- → review?(acelists)

Shall we wait to see what Ben has to propose?

(In reply to Jorg K (GMT+2) from comment #34)

Shall we wait to see what Ben has to propose?

Absolutely not. It is a sheriff fail that this was not backed out immediately. I will have more to say later.

(Somewhat off-topic: Thanks for attributing so much power to the sheriff role, but after something has shipped in a beta and two(!!) ESR versions (60 and 68), the issue is more complex than a backout).

No way is that a credible excuse. A backout patch was even prepared. I suggest not attaching yourself to the wrong decision here.

Assignee: mkmelin+mozilla → ben.bucksch
Attachment #9106331 - Attachment is obsolete: true
Attachment #9106331 - Flags: review?(acelists)
Attachment #9106788 - Flags: review?(neil)
Attachment #9106788 - Flags: review?(acelists)

Requirements for this patch:

  • We must not show a config to the user that will eventually fail. To the user, we must propose only configs that are known to work.
  • The user approval before contacting an unknown IMAP server was a security measure, because we don't trust the network sources for configs. Together with the previous requirement, that makes the fix difficult. Making the fix specific to the Microsoft server gets us out of this problem.
  • The code footprint should preferably be confined to one place, and be coherent with the rest.
Attachment #9106788 - Attachment description: Try IMAP, v4 → Try IMAP, v4 - assumes ISPDB change
Attached patch Force IMAP, v5 (obsolete) — Splinter Review

This is another version of the "Try IMAP" patch which does not depend on ISPDB changes.

Attachment #9106788 - Attachment is obsolete: true
Attachment #9106788 - Flags: review?(neil)
Attachment #9106788 - Flags: review?(acelists)
Attachment #9107100 - Flags: review?(neil)
Attachment #9107100 - Flags: review?(acelists)
Attachment #9107100 - Attachment description: Force IMAP for Office365, v5 → Force IMAP, v5
Comment on attachment 9107100 [details] [diff] [review] Force IMAP, v5 Review of attachment 9107100 [details] [diff] [review]: ----------------------------------------------------------------- ::: mail/components/accountcreation/content/accountConfig.js @@ +210,5 @@ > > + selectAlternativeType(selectType) { > + if (!this.incomingAlternatives) { > + return; > + } noop @@ +216,5 @@ > + alt => alt.type == selectType > + ); > + if (!selectConfig) { > + return; > + } noop ::: mail/components/accountcreation/content/emailWizard.js @@ +760,5 @@ > this._abortable = null; > e("status-area").setAttribute("status", "result"); > + this.checkIMAPvsExchange(config, updatedConfig => > + this.displayConfigResult(updatedConfig) > + ); You're ignoring the fact that there is pop access too. Furthermore, password is not a required detail to fill in to get your configuration at least ATM. I often fill it in later when I log in, I don't think that's very abnormal. @@ +778,5 @@ > + checkIMAPvsExchange(config, resultCallback) { > + assert(config instanceof AccountConfig); > + // The hostname check is also a security-check, > + // so that we don't send configs to the wrong server. > + if (config.incoming.hostname != "outlook.office365.com") { I don't think we want to have a per-hostname exception. Especially as the preferred way to connect to ms mail services in other clients than Outlook is through IMAP/POP3. Other means are really not supported in any official manner. I see you went and made Exchange the first (==default) for the Microsoft domains in ISPDB - https://github.com/thundernest/autoconfig/commit/0105a0001bf33985c578c7660e7a2e2c4304f658. Given the official documentation from Microsoft, that's just wrong. It's not a supported option: https://support.office.com/en-us/article/pop-imap-and-smtp-settings-for-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040 + other clients are also using ISPDB and if they were not careful, they are now broken since exchange is listed as default. @@ +785,5 @@ > + } > + this._currentConfig = config; > + let configFilledIn = this.getConcreteConfig(); > + if (configFilledIn.incoming.type == "exchange") { > + configFilledIn.selectAlternativeType("imap"); I don't think it's ok to change what the user selected, it may be pop too. At the very least, that would be confusing. Also more generally, it's possible the user wanted POP3, but that's disabled server side (user needs to opt in, according to Microsoft). They may just want to switch to IMAP and try that instead. @@ +796,5 @@ > + resultCallback, > + // IMAP login failed > + ex => { > + // IMAP config didn't work, so make Exchange the default > + config.selectAlternativeType("exchange"); Same, don't change what the user selected.
Attachment #9107100 - Flags: feedback-

noop

Not sure what you mean with that, but these checks were necessary, because this can indeed happen that there are no alternatives and there is only a single config. I did run into this in my testing scenarios.

password is not a required detail to fill in to get your configuration at least

If you don't fill out the password, a lot of the dialog and automatic configuration will be broken.

You wanted me to check whether IMAP works. (Remember I wanted to distinguish based on domain.) I don't know how you want me to test whether IMAP works, without a password. You cannot know without an actual login attempt. We know that the IMAP server outlook.office.com exists and works. These settings we check for here are per domain and often even per individual user account, so there's no way to know other than actually trying to log in.

If we skip this check here, and we also skip the password verification later at the end of the dialog, then there's a very high chance that the user ends up with a non-working account configuration. The whole point of the dialog is to find a working configuration.

I don't think it's ok to change what the user selected

This code is called from foundConfig(), which is called at the end of the automatic configuration. It will not be invoked after the user changes the radio buttons from IMAP to POP3.

There's a real edge case in which the code is invoked from the manual config, and we test the config again. We only run this new code here for the specific Office365 / outlook.com servers, and these are typically autodetected, so it's a highly unlikely case, but I have a simple idea how to avoid this edge case and I'll make a new patch.

I don't think we want to have a per-hostname exception.

This dialog has as basic requirements, among others:

  • We must not show a config to the user that will eventually fail. To the user, we must propose only the configs (as default) that are known to work.
  • The user approval before logging in with password to an unknown IMAP server was a security measure, because we don't trust the network sources for configs.

Making the fix specific to the Microsoft server gets us out of this problem, and also adheres to Magnus' idea of checking whether the IMAP server works.

It also avoids that the patch has unintended side effects.

I see you went and made Exchange the first (==default) for the Microsoft domains in ISPDB

(I assume you mean outlook.com = Hotmail, what Microsoft calls "Personal accounts".)

Given the official documentation from Microsoft, that's just wrong. [Exchange is] not a supported option: https://support.office.com/en-us/article/pop-imap-and-smtp-settings-for-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040

I don't know how you infer that from this document. The document only shows how to configure IMAP and POP3, which Microsoft itself in other documents calls "legacy protocols". It doesn't mean that other protocols are not supported.

Quite the opposite, Microsoft wants people to use their own protocols, not IMAP. Microsoft does advocacy to discourage IMAP.

And not just advocacy: Just while I was testing this patch, Microsoft blocked my @outlook.com account access, simply because I logged in from IMAP (they said "new device", but that's a false claim).

other clients are also using ISPDB and if they were not careful, they are now broken since exchange is listed as default.

The config file is defined so that we can add new types and new authentication mechanisms, and the client must ignore unknown types. If they are broken, they were broken from the start, and they've likely also been broken by earlier additions we made in the last few years.

I guess before we proceed any further, we need to define the desired agreed behaviour. No point submitting patches if that's not even clear.

I guess we have three cases:

  1. hotmail/outlook/live.com: They can all do IMAP and they can do Exchange as well, right? They are meant for personal use.
  2. office365.com: account works with IMAP (which needs to be tested somehow during the setup)
  3. office365.com: account won't work with IMAP (due to 2FA or other stuff).
    There might be cases where the user hasn't provided a password, so some detection may not work and we have more cases.

Current behaviour is that in cases 1.-3. Exchange is always offered and selected. That's not desired.

With Magnus' patch in case 1, Exchange is not offered. Is this the agreed behaviour? I tend to agree with Magnus here that this is agreed.
With Ben's patch in case 1, Exchange is offered but not selected. Or is this the agreed behaviour?

I can't test cases 2 and 3. From the discussion I assume that for 2. and 3. Exchange is offered and selected with Ben's patch, I could be wrong. I don't understand what Magnus' patch tries to implement since " B) IMAP/POP3 was chosen but authentication failed" doesn't make sense to me since at first, the user only fills in their details and then the system goes checking and offers a choice. And it shouldn't offer IMAP if the authentication already failed.

So let's be clear on what we want to do and then do it in a constructive fashion and with enough detail to understand each other and any others marginally involved like Aceman or myself.

Thanks, Jörg, for describing this clearly.

Case 1: hotmail/outlook/live.com

  • Exchange should not be offered by default. This was a bug, and I'm trying to fix that.
  • I think Exchange should be offered as non-default alternative, just like POP3. Exchange protocols work for these services, and the Owl implementation has certain advantages. E.g. people might want to use the calendar. However, I could compromise here.

Case 2: Office365 with IMAP available

  • This is where Magnus and I differ.
  • Magnus would like to default to IMAP. I can understand why, because IMAP is a free protocol.
  • I think that Exchange should be the default, because Microsoft actively discourages the use of IMAP on Office365, and does so more and more aggressively. More importantly, these enterprise users also need some contacts access and the calendar for internal team organization, as central meeting planning tool, to book conference rooms etc.. Lots of enterprise users heavily depend on the calendar. We have out of the box calendar support, it works without additional configuration. Also, my users keep asking for shared mailboxes, e.g. for inbox@ and support@ addresses, and Thunderbird has no UI for it, and I'm not sure Exchange/Office365 even exposes it via IMAP. These features are critical for enterprise users, and e.g. the Auswärtige Amt in Germany has cited exactly the calendar and collaboration tools as reason why they moved away from Thunderbird to Outlook, so these features do matter. Many Office365 enterprise users will generally want and need these features, so together with the fact that Microsoft actively discourages and impairs the use of IMAP, I think Owl should be the default for Office365.
  • Magnus and I agree that both IMAP and Exchange should be an option in this case, either way. The user should have the choice.
  • My earlier patch "Differentate based on domain" patch offered Exchange by default in this case. (Magnus rejected it for this reason for this bug here. The patch is still useful for other reasons, and does not conflict with other fixes here.) My latest patch here implements what Magnus wants, and goes against my own interests.

Case 3: Office365 without IMAP working

  • Exchange should offered, and the only option. I think Magnus and I agree on this.
  • For usability, we must not offer options to the user and let him make choices which then do not work. So, my latest patch tests whether IMAP works before we let the user make a choice.

B) IMAP/POP3 was chosen but authentication failed" doesn't make sense to me since at first, the user only fills in their details and
then the system goes checking and offers a choice. And it shouldn't offer IMAP if the authentication already failed.

Exactly

Well, looks like we almost agree:

Case 1: hotmail/outlook/live.com: Select IMAP, offer POP, no Exchange.
Case 2: Office365 with IMAP available: Offer IMAP, POP, Exchange. Default yet to be determined. I'd be happy with Exchange. People are already on the Microsoft boat and whoever wants IMAP can just click it. Or we make IMAP the default and then we're 100% sure that people selecting Exchange made the deliberate choice.
Case 3: Office365 without IMAP working: Offer and select Exchange (offer POP?).
Case 4: No password given: Treat like case 2 since we can't test IMAP in that case, right?

So it should be possible to agree on the default in case 2 and then propose a mutually acceptable patch.

This issue has made a few waves and pre-selecting Exchange for unsuspecting hotmail/outlook/live.com users is quite ugly and we should fix it asap.

(offer POP?)

If IMAP is disabled, then POP3 is as well, for the same reasons.

We should fix it ASAP

Agreed.

I had a long discussion with Magnus about bug 1185366, bug 1592258 and bug 1594366. Here's a summary for this bug:

Meanwhile changes to the ISPDB have landed to mitigate the issue:
https://autoconfig.thunderbird.net/v1.1/hotmail.com
https://autoconfig.thunderbird.net/v1.1/office365.com
https://autoconfig.thunderbird.net/v1.1/outlook.com

All "personal" use Hotmail/Live domains will now received IMAP preselected with Exchange also shown. Case 1. I think it would be good to remove the Exchange option from the ISPDB configuration right now.

Outlook.com and O365 can't be distinguished right now, see bug 1185366, and even when that bug lands, "old" clients before and including TB 60 won't be fixed. So let's assume a "new" client of TB 68 for the following. Since with such a client Outlook.com and O365 can be distinguished, outlook.com can receive the same treatment as its other "personal" use friends.

It remains to decide what to do for O365, three options exist in cases where IMAP works:
a) Only show IMAP
b) Select IMAP and offer Exchange as an option
c) Select Exchange and offer IMAP as an option
In cases where IMAP doesn't work, only Exchange should be shown (also no POP3 since that equally wouldn't work).

We'll discuss the "product placement" of option b) and c) further at the appropriate level.

@Magnus: If you accept my comment 43, I can make the changes discussed in comment 42. This is waiting for your acceptance right now.

Can we do something here in time for TB 68.3 in early December? For this to happen it needs to ship in TB 71 beta 4 in about a week from now.

If it misses TB 68.3, the drama will be dragging on until 68.4 in January of 2020.

Flags: needinfo?(mkmelin+mozilla)
Keywords: regression

Disclaimer - I am a Thunderbird user - have been for years - and am also a Principal Engineer in a large finance firm.

As the person who reported 1597580, let me state my disappointment in the behaviour of some members of the Thunderbird development team.

Many open-source advocates constantly criticise Microsoft for embedding advertising and up-sells into their products and here we have Thunderbird, a product (originally?) from the Mozilla Foundation, up-selling paid-for commercial add-ons inside the codebase.

I mean - refer to questions such as: https://support.mozilla.org/bm/questions/1265452 from users trying to understand why they have plugins installed which are only a trial. How is this building trust with the community!?

Not only that, but I echo the surprise that two members of the development team were able to peer-approve this commit without oversight.

In my opinion, if you need Exchange support and your organisation has disabled IMAP, then you should use the web browser version until there's an open-source Exchange client inside Thunderbird.

I completely understand that people need to earn money, but sneaking in paid-for add-ons into open source codebases isn't the way to do it.

In my opinion, if you need Exchange support and your organisation has disabled IMAP, then you should use the web browser version until there's an open-source Exchange client inside Thunderbird.

We have many many users which strongly disagree with you on that. They are very happy that this addon exists, and that they can continue to use Thunderbird. We received many emails with thank-you notes.

Please all follow the BMO guidelines and etiquette and keep to the technical aspect. The fact is that due some unfortunate circumstances Thunderbird was shipped offering the Exchange protocol via the Owl add-on to users that didn't need it. This has already partly been fixed, that is users of Hotmail/Live/Outlook accounts (with the exception of Outlook.com) will not be offered Exchange as default any more. We're working on further measures to fully rectify the situation, however, software has a release cycle and we can't just ship a new version for every issue we encounter.

Attached patch Try IMAP, v6 (obsolete) — Splinter Review
Attachment #9104934 - Attachment is obsolete: true
Attachment #9107100 - Attachment is obsolete: true
Attachment #9107100 - Flags: review?(neil)
Attachment #9107100 - Flags: review?(acelists)
Flags: needinfo?(mkmelin+mozilla)
Attachment #9110283 - Flags: review?(neil)
Comment on attachment 9110283 [details] [diff] [review] Try IMAP, v6 >+ selectAlternativeType(selectType) { I guess `onResultServerTypeChanged` can't use this function, can it? >+ config.incomingAlternatives.find(alt => alt.type == "exchange") && Nit: use `some` rather than `find`.
Attachment #9110283 - Flags: review?(neil) → review+

I guess onResultServerTypeChanged can't use this function, can it?

Unfortunately not, because it selects a specific config and not a config type.
Also, I tried to keep the patch here small and to the problem at hand.

Nit: use some rather than find.

Will do.

Attached patch Try IMAP, v7 (obsolete) — Splinter Review

Neil's NIT fixed.
This also fixes a number of Magnus' review comments.

Attachment #9110283 - Attachment is obsolete: true
Attachment #9110291 - Flags: review?(neil)
Attachment #9110291 - Flags: review?(neil) → review+
Comment on attachment 9110291 [details] [diff] [review] Try IMAP, v7 @Jörg: Could you please review this as well?
Keywords: checkin-needed-tb

I thought we already made it clear cross-reviewing changes related to Owl isn't at all ok.

Keywords: checkin-needed-tb

@Magnus: Yes, that's why comment 59. The keyword was only to put it on Jörg's radar.

What this patch does:

  • Because IMAP might work on some accounts and not others, in the same Office365 customer domain:
  • If there's both an IMAP config (default) and an Exchange config for Office365/Hotmail, check whether IMAP actually works for this account.
  • If yes, show IMAP as default. If IMAP does not work, show Exchange as default.

This is on top of v7. This is more aggressive and explicitly hides the Exchange config, if IMAP works.
Based on feedback from 2 council members, who suggested that this should be configurable via ISPDB, this is behavior is controlled by a new config flag fallbackOnly. If true for a given config, this behavior will be active.

The changed autoconfig URL has the new flag for Office365 (test with e.g. foo@beonex.onmicrosoft.com or any other Office365 account) and is for only for testing purposes for the reviewer. It's not supposed to land, just a convenience for the reviewer.

Attachment #9110378 - Flags: review?(neil)
Attachment #9110291 - Flags: review?(acelists)
Attachment #9110378 - Flags: review?(acelists)
Comment on attachment 9110378 [details] [diff] [review] If IMAP works, hide Exchange - v1, based on v7 > // IMAP worked >+ () => { >+ config.incomingAlternatives = config.incomingAlternatives.filter( >+ config => !config.fallbackOnly >+ ); >+ resultCallback(config); >+ }, > // IMAP login failed > ex => { > // IMAP config didn't work, so make Exchange the default IMHO the IMAP worked callback could use an additional comment like the one above e.g. `// IMAP config worked, so remove any fallback config`. > The changed autoconfig URL has the new flag for Office365 (Seems strange to demonstrate it that way around, but what do I know?)
Attachment #9110378 - Flags: review?(neil) → review+

Both patches are ready to land, if a third developer approves

Whiteboard: Ready to land, once approved by a third developer

Remove ISPDB hunk, use HG header. Ready to land.

r+ by Neil carried over from last patch.

Attachment #9110378 - Attachment is obsolete: true
Attachment #9110378 - Flags: review?(acelists)
Attachment #9110520 - Flags: review?(acelists)
Attachment #9110520 - Attachment description: If IMAP works, hide Exchange - v2, based on v7 → If IMAP works, hide Exchange - v2 - apply on top of Try IMAP v7
Attachment #9110520 - Flags: review+
Attachment #9110291 - Flags: review?(alessandro)
Attachment #9110520 - Flags: review?(alessandro)

If there's both an IMAP config (default) and an Exchange config for Office365/Hotmail, check whether IMAP actually works for this account.

Good.

If yes, show IMAP as default. If IMAP does not work, show Exchange as default.

If IMAP doesn't work, why show it at all? You want to provide a non-working option? Or you want the user to confirm that it really doesn't work?

This is on top of v7. This is more aggressive and explicitly hides the Exchange config, if IMAP works. ... controlled by a new config flag fallbackOnly.

Good. Once shipped and adopted, we can drive the behaviour externally.

Seems strange to demonstrate it that way around, but what do I know?

What did Neil mean here? Did he mean to have a flag "alwaysShow".

If IMAP doesn't work, why show it at all? You want to provide a non-working option? Or you want the user to confirm that it really doesn't work?

Yes, exactly, that was one of the thoughts I had.
Another was being "tactful".
Lastly, I'd need to remove POP3 as well, because I know that POP3 will not be enabled in Office365, if IMAP is disabled, because I've seen the policy setting available to Office365 admins that disable IMAP, and I know they also disable POP3. I don't want to actively test whether POP3 works with a second login attempt, because there's no point and it would actually be actively harmful to do so in some cases. But I don't know how this would be regarded by the reviewers, it might be a point of discussion, and I just wanted this to go smoothly, so I tried to leave this question out of the patch.

Seems strange to demonstrate it that way around, but what do I know?

What did Neil mean here?

I asked him offline and he was just referring to the test data. He was expecting me to showcase with outlook.com, and I showcased with Office365. So, based on that, my test autoconfig now also has such a fallback config for outlook.com. The comment was not referring to the patch itself.

@Jörg: Given that you're in here anyway: If you (or anybody else) could approve this, I'd be grateful. We can land this ourselves, if you prefer to not touch a commandline and hg and patches during your well-deserved vacation.

Attachment #9110291 - Flags: review?(alessandro)
Attachment #9110291 - Flags: review?(acelists)
Attachment #9110520 - Flags: review?(alessandro)
Attachment #9110520 - Flags: review?(acelists)

The discussion we had in the Thunderbird council about this came to the conclusion that we want to get back to the state that was previously agreed on: only offer exchange if that truly was the only found option. We will not offer exchange to Office 365 users nor to other Microsoft mail services. (If there are users that want it, they should install Owl first through the add-ons manager and Owl can then make exchange available.)

Attachment #9110291 - Flags: review-
Attachment #9110520 - Flags: review-

Please don't abuse the review flags: use the feedback flags when it's not a valid review we're talking about.

Whiteboard: Ready to land, once approved by a third developer

https://github.com/thundernest/autoconfig/pull/13 is now up and will mitigate this bug across all branches.
What's left for this bug, is a patch to filter out exchange from found account types if other account types were found.

Back to square 1 (without a backout).

Assignee: ben.bucksch → mkmelin+mozilla
Attachment #9110291 - Attachment is obsolete: true
Attachment #9110520 - Attachment is obsolete: true
Attachment #9110650 - Flags: review?(alessandro)
Comment on attachment 9110650 [details] [diff] [review] bug1592258_exchange-back-to-square1.patch As I've stated many times, many Office365 users do not have IMAP enabled. This change will break them. The autoconfig wizard should not offer configs that do not work, if there are others that are known to work. Your patch breaks that. Furthermore, your patch here is directly against the TB Council decision on this matter. You yourself requested above in comment 14: "if Exchange was available, AND the normal IMAP/POP auth failed: that would be the appropriate place to advertise this alternative." This is what my patches implemented. And they work exactly as requested, by you in this statement, and by the TB Council.
Attachment #9110650 - Flags: review?(alessandro) → review-

Look, I'm implementing the council decision now. I understand you don't like it, but this is what we clearly decided. We almost unanimously passed the motion to:

** Remove exchange option for free accounts (Hotmail/Outlook). Remove exchange option for Office365 as well - “back to original terms” **

I don't know how this could be any clearer.

Attachment #9110650 - Flags: review- → review?(alessandro)
Attachment #9110378 - Attachment is obsolete: false
Attachment #9110520 - Attachment is obsolete: false

This is ridiculous, can you stop playing with the flags.

Attachment #9110378 - Attachment is obsolete: true
Attachment #9110520 - Attachment is obsolete: true
Comment on attachment 9110650 [details] [diff] [review] bug1592258_exchange-back-to-square1.patch > I'm implementing the council decision now. No, you do not. TB Council decision says: "Exchange should only be advertised to the user if the other supported protocols such as IMAP are not available." For many Office365 users, IMAP is not enabled, so we're testing that. You yourself asked that in comment 14. That's what I do. My patch implements exactly that. Your patch removes known working configs and advertises configs that will not work. That makes no sense.
Attachment #9110650 - Flags: review-
Comment on attachment 9110650 [details] [diff] [review] bug1592258_exchange-back-to-square1.patch This utterly ridiculous. The **communicated** Thunderbird Council instructions were: **Exchange should only be advertised to the user if the other supported protocols such as IMAP are not available.** This had agreement from five people. NOW STOP BEHAVING LIKE THIS. IF THE COUNCIL COMMUNICATED THIS INCORRECTLY, THEY SHALL FIX THIS FIRST.
Attachment #9110650 - Flags: review?(alessandro)
Attachment #9110520 - Attachment is obsolete: false
Attachment #9110291 - Attachment is obsolete: false

I'm not here to debate alternative solution options at this point. The decision was, explicitly, to remove exchange also for office 365.

There is no contradiction with comment 77. For Office 365, IMAP is available.

Attachment #9110291 - Attachment is obsolete: true
Attachment #9110520 - Attachment is obsolete: true
Attachment #9110650 - Flags: review- → review?(alessandro)

(In reply to Magnus Melin [:mkmelin] from comment #78)

For Office 365, IMAP is available.

So why do we have bug bug 1528136 on file then?

And can you please explain why you need this code change at all? Remove the exchange options from
https://autoconfig.thunderbird.net/v1.1/outlook.com and
https://autoconfig.thunderbird.net/v1.1/office365.com and you're done. What am I missing?

I did exactly what you asked for in comment 14: "if Exchange was available, AND the normal IMAP/POP auth failed: that would be the appropriate place to advertise this alternative". I don't understand why you now claim the exact opposite.

Remove exchange option for free accounts (Hotmail/Outlook). Remove exchange option for Office365 as well

For the record, I checked the text of the official TB Council decision as communicated to me (Philipp Kewisch on behalf of TB Council, 2019-11-20 00:07 CET), and this is sentence is not part of it. Rather, the sentence I and Jörg quoted: "Exchange should only be advertised to the user if the other supported protocols such as IMAP are not available". That's what I implemented.

For Office 365, IMAP is available.

It's disabled for many domains, or even for specific users within the domain.
I have tons of users in support here who have Office365 accounts and are saying the exact opposite of what you claim.

If IMAP is indeed working and enabled, then my patches do exactly what you want. We show only IMAP and not Exchange. My patches have an effect only for those Office365 users who cannot use IMAP.

Comment on attachment 9110650 [details] [diff] [review] bug1592258_exchange-back-to-square1.patch Still under discussion. So let's not jump to conclusions here.
Attachment #9110650 - Flags: review?(alessandro)

I'd like to understand Magnus' patch better. Magnus, can you please answer the following question:

From comment #80: Q1: Can you please explain why you need this code change at all? Removing the exchange options from
https://autoconfig.thunderbird.net/v1.1/outlook.com and
https://autoconfig.thunderbird.net/v1.1/office365.com does the trick, no?

I see that you've written in comment #71:
https://github.com/thundernest/autoconfig/pull/13 is now up and will mitigate this bug across all branches.
What's left for this bug, is a patch to filter out exchange from found account types if other account types were found.

"Filter out exchange from found account types if other account types were found" - Q2: Why is that necessary if the exchange type is removed from the ISPDB?

From comment #78: For Office 365, IMAP is available.
Why do we have bug bug 1528136 on file? Q3: Is that not a reason why IMAP is sometimes not available?

Ben wrote on the TB Council list (non-public) (quote):
It's disabled for many domains, or even for specific users within the domain. I have tons of users in support here who have Office365 accounts and are saying the exact opposite of what you claim. In fact, that's the very reason why I started Owl: To help those Office365 (and Exchange) users who cannot use IMAP.
Q4: Do we dismiss this empirical data or do you think it is false?

And related to Q2: IMHO a solution that hardcodes the behaviour of the software is not desirable for the obvious reason that it is inflexible since needs to be rolled out in the next release and then we have to wait for user adoption. I suggested to implement something that can be controlled via the ISBDB across all client which include the change. Q5: How does your solution fit into this?

Kindly reply to my questions Q1 to Q5 and then we can assess your solution further. If you don't mind, I will do the review in order not burden Alex by pulling him into this discussion. Since I'm on PTO, I'll only occasionally check the bug for progress, so please drop a line on the Council list.

(In reply to Jorg K (GMT+1) (PTO to 1st Dec 2019, not reading bugmail) from comment #83)

From comment #80: Q1: Can you please explain why you need this code change at all?

Yes, like I wrote in comment 71, not too much left to do in this bug. The patch ensures we do not show exchange for on premise exchange when IMAP and/or POP are available.

"Filter out exchange from found account types if other account types were found" - Q2: Why is that necessary if the exchange type is removed from the ISPDB?

See answer to Q1.

From comment #78: For Office 365, IMAP is available.
Why do we have bug bug 1528136 on file? Q3: Is that not a reason why IMAP is sometimes not available?

IMAP is always available. If it's working or not is a secondary issue - and verifying that is the next step in the wizard.

Q4: Do we dismiss this empirical data or do you think it is false?

I would be interested in numbers. That there is only 26 persons on cc of bug 1528136 does tell you something when the number of people setting up such accounts are in the 6 figure range monthly!

Either way, it's irrelevant for what the council decision was: to get back to square one.

And related to Q2: IMHO a solution that hardcodes the behaviour of the software is not desirable for the obvious reason that it is inflexible since needs to be rolled out in the next release and then we have to wait for user adoption. I suggested to implement something that can be controlled via the ISBDB across all client which include the change. Q5: How does your solution fit into this?

Eh, the very patch proposed by Ben hardcodes a outlook.office365.com into the source code. Basically unprecedented! Where is the flexibility in that? Given we release every 6 weeks at least, and going to start doing so even more frequently, the user wait period is usually not that long to do such changes in-client (when we release every 4 weeks, avg. would be 2 weeks).

Implementing client specific behaviour in ispdb is certainty against the philosophy behind that code: it's not meant to be Thunderbird only (though yes, catering for Thunderbird's needs), and in fact, sadly, Thunderbird only accounts for a fraction of the traffic.

(In reply to Magnus Melin [:mkmelin] from comment #84)

Yes, like I wrote in comment 71, not too much left to do in this bug. The patch ensures we do not show exchange for on premise exchange when IMAP and/or POP are available.

I think that detail is really not needed. We don't need to preach IMAP to people who are already on the M$ boat heading to their on-premise Exchange server. Why be even more hardlined than we've ever been?

IMAP is always available. If it's working or not is a secondary issue - and verifying that is the next step in the wizard.

OK, so what does the wizzard do if IMAP fails in the next step? Anything useful that would allow the user to create a working account setup? Funny that we're arguing about "available" vs. "working" now.

I would be interested in numbers.

I'm sure Ben can supply numbers.

Either way, it's irrelevant for what the council decision was: to get back to square one.

There is a new Council motion on the way. Even if we implemented the one you're referring to, removal from the ISPDB would be sufficient.

Eh, the very patch proposed by Ben hardcodes a outlook.office365.com into the source code. Basically unprecedented!

Really? How about:
https://searchfox.org/comm-central/rev/f40fe7e4be1d5dc5bd90c831a0bf87d354f3e74b/mail/extensions/openpgp/content/modules/wkdLookup.jsm#28
https://searchfox.org/comm-central/rev/f40fe7e4be1d5dc5bd90c831a0bf87d354f3e74b/mailnews/imap/src/nsImapProtocol.cpp#7340
https://searchfox.org/comm-central/rev/f40fe7e4be1d5dc5bd90c831a0bf87d354f3e74b/mailnews/mailnews.js#546
https://searchfox.org/comm-central/search?q=Gmail&case=true&regexp=false&path=
Office365 is becoming a global mail provider like Gmail, so I don't have a problem with hardcoding the domain where relevant. That said: We might want to move the string into a pref, like we've done for the Openwave thing I've referenced above.

Implementing client specific behaviour in ispdb is certainty against the philosophy behind that code: it's not meant to be Thunderbird only (though yes, catering for Thunderbird's needs), and in fact, sadly, Thunderbird only accounts for a fraction of the traffic.

The ISPDB was invented for Thunderbird account setup and has been so successful that other clients are using it to, for example my Android app FairEmail. IMHO there's nothing wrong adding certain attribution to certain entries that a client may or may not process. Maybe we should consult the inventor of the ISPDB about its underlying philosophy.

(In reply to Jorg K (GMT+1) (PTO to 1st Dec 2019, not reading bugmail) from comment #85)

I think that detail is really not needed. We don't need to preach IMAP to people who are already on the M$ boat heading to their on-premise Exchange server. Why be even more hardlined then we've ever been?

We're not any more hardlined. That was how it was before this bug: only show exchange if other protocols failed. That applied to on-premise exchange too.

As I already stated elsewhere: you're talking about different users. It's hardly the Thunderbird users who chose the O365 setup and then went to the trouble of disabling IMAP. That's a bad decision by their admin.

OK, so what does the wizzard do if IMAP fails in the next step? Anything useful that would allow the user to create a working account setup?

The usual: alerts the user about the situation, with potentially helpful information. They may easily have set the wrong password and would try again. Depending on situation and technical skill-set, can also make sure IMAP gets enabled.

There is a new Council motion on the way. Even if we implemented the one you're referring to, removal from the ISPDB would be sufficient.

It's not, as per my previous answer to Q1.

Really? How about:
There's not even any server dns names in your queries (except for in the still-wip-pgp code).

IMHO there's nothing wrong adding certain attribution to certain entries that a client may or may not process.

The proposition was to add a setting essentially saying if it should be usually shown or not. That's not an attribution a client may or may not posses.

Comment on attachment 9110650 [details] [diff] [review] bug1592258_exchange-back-to-square1.patch I believe this patch is not needed for the following reasons: 1) If https://github.com/thundernest/autoconfig/pull/13 is merged, no provider in the ISPDB will advertise Exchange ability. 2) It restricts the flexibility of what we can drive via the ISPDB since would hard-code removal of the Exchange option unconditionally. Besides, you're coding for a fictitious case, see point 1) and point 3). 3) You're saying that you want to remove the Exchange option also for on-premise servers. Can you show a real life example of such a server where this would be necessary. Exchange support was added to the ISPDB and not publicised, so I doubt that any company-provided configuration file, like https://autoconfig.ticino.com/mail/config-v1.1.xml (took a wile to find one in the first place) would list the ISPDB option. And if they did, why do you think it's a good idea for Thunderbird to remove that option? We know better than the site administrator? We want to teach them what is the right protocol? Let me know what I'm missing. Further to your comment: >> OK, so what does the wizzard do if IMAP fails in the next step? Anything useful that would allow the user to create a working account setup? > The usual: alerts the user about the situation, with potentially helpful information. They may easily have set the wrong password and would try again. Depending on situation and technical skill-set, can also make sure IMAP gets enabled. Aha, "potentially" helpful information. Of which kind exactly? If they mistyped the password, with Ben's patches, IMAP is still available, the user can select it and enter the correct password. "Make sure IMAP gets enabled" - that's wishful thinking. I know from first hand experience that whole organisations **force** users onto using the Outlook client (since the have a contract with Microsoft) and will under no circumstances enable IMAP. Once again, Ben's solution suggests Exchange and leaves IMAP as an option, so if the user is not convinced by the choice, they can try IMAP just to confirm that the suggestion was the only viable option.
Attachment #9110650 - Flags: review-

(In reply to Jorg K (GMT+1) (PTO to 1st Dec 2019, not reading bugmail) from comment #87)

Let me know what I'm missing.

You miss that this also gets called for results from guessConfig, i.e. the auto detection (guessing by name, probing and all that). I doubt there are many intra configuration files you'd find where someone would have listed exchange and others.

So, with no configuration file found - but guessed configuration found - you'd easily end up with an on-premise exchange that has IMAP+POP enabled. For this case, we should show IMAP/POP just like we used to.

Aha, "potentially" helpful information. Of which kind exactly? If they
mistyped the password, with Ben's patches, IMAP is still available, the user
can select it and enter the correct password.

[with the patch] After they figured out we "helpfully" auto selected exchange for them!?

a contract with Microsoft) and will under no circumstances enable IMAP.

Then there would be no problem, because they would not end up there and exchange is the only option. We're talking about O365 now where IMAP is enabled by default.

Magnus wrote:

We're talking about O365 now

That's not what your patch does.

That was how it was before this bug: only show exchange if other protocols failed. That applied to on-premise exchange too.

That is not true, and it's clear to anyone who understands what your patch does. As the first words in comment 0 show, we're trying to fix a regression caused by bug 1571772, which was on Office365 and Hotmail. The effects on Hotmail were completely unintended and already fixed by bug 1185366. This leaves Office365 here, and the TB Council is currently discussing that.

Your patch removes options for on-premise Exchange that were there long before bug 1571772. And it's clear from your patch that it's deliberate. That's one reason why I called on the TB Council.

Jörg wrote:

Why do we have bug bug 1528136 on file? Q3: Is that not a reason why IMAP is sometimes not available?

FYI, that is a possible reason, but there are a number of other reasons why IMAP might be deactivated and not available. Microsoft offers so many different ways in so many different places and angles and reasons to disable IMAP. In effect, many users cannot use IMAP.

I know from first hand experience that whole organisations force users onto using the Outlook client (since the have a contract with Microsoft) and will under no circumstances enable IMAP.

Ditto. I was in the same situation, on Office365, in several different organizations. Many other people are in the same situation, I read that in support emails, from novices to highly technical users like software engineers, and it's getting increasingly worse instead of better.

Magnus wrote:

IMAP is always available. If it's working or not is a secondary issue

Now you're down to just playing with words. Something that doesn't work isn't available, no. A technical device that's sitting in front of you physically and is broken and not working is not "available". This is especially true when that device was deliberately deactivated by someone. It's then exactly not available.

Jörg wrote:

OK, so what does the wizzard do if IMAP fails in the next step?

That's exactly the problem. Without my patch, we would show "wrong password", which makes the user try other passwords. That's a complete disaster. We can't have that. I'm not going to show non-working configs to the user and then tell him "password wrong". That's a complete no-go.

That's why my patch is written the way it is.

(In reply to Magnus Melin [:mkmelin] from comment #88)

(In reply to Jorg K (GMT+1) (PTO to 1st Dec 2019, not reading bugmail) from comment #87)

Let me know what I'm missing.

You miss that this also gets called for results from guessConfig, i.e. the auto detection (guessing by name, probing and all that). I doubt there are many intra configuration files you'd find where someone would have listed exchange and others.

Hmm, "guess config" doesn't process config files, it guesses server names, like imap.domain.com, mail.domain.com, etc. and then does the probing.

As I said: Assuming we remove the exchange options form the ISPDB, your patch is not necessary. I'm also confused by the last paragraph of your comment #88:

We're talking about O365 now where IMAP is enabled by default.

I feel silly repeating it one more time: To address O365, no code change is necessary, this can be done via the ISPDB. How many times do we need to repeat that some setups via O365 have IMAP disabled? Or are you denying that as well? Apart from an unhelpful error message the user would be left stranded needing to get Owl or ExQuilla from ATN.

As Ben pointed out, your patch also affects on-premise servers, which is not desired. This bug was to rectify the Hotmail/Live/Outlook/O365 situation and I don't know why the configuration for on-premise servers has suddenly also become a target.

I can't apply another r-, but this comment here needs to be added to my review comments in comment #87.

(In reply to Ben Bucksch (:BenB) from comment #89)

Your patch removes options for on-premise Exchange that were there long before bug 1571772.

If that's the case it was never agreed upon. Exactly when did that sneak in? Showing exchange ONLY when it's the only option is what we agreed upon. Anything else needs to be ripped out.

Magnus wrote:

IMAP is always available. If it's working or not is a secondary issue
Now you're down to just playing with words.

No, but you're trying to take the word out of its context. It's available as in: available as one found option.

(In reply to Jorg K (GMT+1) (PTO to 1st Dec 2019, not reading bugmail) from comment #90)

As I said: Assuming we remove the exchange options from the ISPDB, your patch is not necessary.

It is, otherwise we still show exchange for cases POP/IMAP is available, as I already explained.

I feel silly repeating it one more time: To address O365, no code change is necessary, this can be done via the ISPDB.

Then merge the PR, as I've suggested.

How many times do we need to repeat that some setups via O365 have IMAP disabled? Or are you denying that as well? Apart from an unhelpful error message the user would be left stranded needing to get Owl or ExQuilla from ATN.

Some functionality require an add-on to be installed. Product placement of Owl was never agreed upon for any such case.
I don't think there official statistics on how many setups have IMAP disabled.

As Ben pointed out, your patch also affects on-premise servers, which is not desired.

Reason being?

This bug was to rectify the Hotmail/Live/Outlook/O365 situation and I don't know why the configuration for on-premise servers has suddenly also become a target.

Just because that might have gone unnoticed in comment 0, it doesn't mean we shouldn't address it since it was found while analysing the scenarios.

Both your ISPDB PR 13 and your patch here are going to prevent users from using Thunderbird, because both actively suppress the Exchange config, even for Office365 users that cannot use IMAP. That's breaking users.

My patch gives maximum exposure to IMAP: It shows IMAP users who can use it, and Exchange (plus IMAP) for the others. That's exactly what the Council demanded from me. I simply implemented the Council's wishes.

(In reply to Magnus Melin [:mkmelin] from comment #92)

It is, otherwise we still show exchange for cases POP/IMAP is available, as I already explained.

I think this is fairly hypothetical since this would only be the case for on-premise setups which are unlikely to offer both IMAP and Exchange. Does anyone have any data on that?

Then merge the PR, as I've suggested.

If the Council decides to kick it out altogether in the follow-up vote, I'm sure it will be merged. If we hadn't held up proceedings, the solution could now be on trunk and TB 71 beta 4 ready to get into 68.3 on the 2nd of Dec.

Just because that might have gone unnoticed in comment 0, it doesn't mean we shouldn't address it since it was found while analysing the scenarios.

So you're re-badging the bug as regression of bug 1500105 which you approved yourself? I thought we're here to fix the last remnants of the bug 1571772 mess-up.

Attached image aalto-fi-TB68.png (obsolete) —

Magnus did some experiments with his provider who uses Exchange of some description. I don't have an account there, but I tried anyway.

In TB 68.3 (pre-release) somehow the domain login password box popped up, that might have come from bug 1518155. However, in the end no Exchange/Owl is offered. Hmm. Seems to be independent of whether an invalid password is entered or no password is entered.

EDIT: Same behaviour on trunk, BTW.

Re comment 93, filed as bug 1598861.

You mean comment #96.

Alias: Owl-O365
Summary: autoconfig offers Exchange (and selects it by default!) even if standard protocols IMAP/SMTP setup is found and available → autoconfig offers Exchange (and selects it by default!) even if standard protocols IMAP/SMTP setup is found and available (Office 365)
Comment on attachment 9106331 [details] [diff] [review] bug1592258_exchange-fix.patch OK, in the meantime a test domain with e-mail accounts at O365 arrived: jorgk@open.click. Currently IMAP and POP3 are disabled there, so with Ben's patches I get Exchange preselected. Magnus patch shows IMAP/POP3 and clicking "Done" I get a failure with "Unable to log in at the server. Probably wrong configuration, username or password". And now the Exchange option shows up. Hmm, I guess the message is wrong and hence confusing. I'll enable IMAP/POP3 now and test again.
Attachment #9106331 - Attachment is obsolete: false
Attachment #9106331 - Flags: feedback+ → feedback-
Attached image Magnus-step1.png (obsolete) —

With Magnus' patch: Step 1: Offering IMAP/POP3 which isn't working.

Attachment #9111031 - Attachment is obsolete: true
Attached image Magnus-step2.png (obsolete) —

With Magnus' patch: Step 2: Showing semi-misleading message and offering Owl, but not selecting it.

IMHO, that's really bad UX.

Attached image Ben-no-imap.png (obsolete) —

With Ben's two patches: Selects Exchange when IMAP isn't working.

Attached image Ben-with-IMAP.png (obsolete) —

With Ben's two patches: Selects IMAP if working. Doesn't show exchange:
Disclaimer, picture provided by Ben. I can't get this to work on the open.click domain. Apparently the MX lookup that would send it to the https://autoconfig.thunderbird.net/v1.1/mail.protection.outlook.com file via this MX record openclick.mail.protection.outlook.com
https://mxtoolbox.com/SuperTool.aspx?action=mx%3aopen.click&run=toolpage#
doesn't work for me. I get totally non-working guess config where it doesn't even display a decent server name.

In the normal case that you typoed the password, the messages are perfectly alright.

I've seen no data enforced MFA would be even a very common case, and it would be extraordinary if it was the majority. It's not the default configuration of your O365 account, and the comparative small number of people subscribed to bug 1528136 would say optimizing for that case is just wrong.

https://venturebeat.com/2018/08/22/global-survey-reveals-low-adoption-of-multi-factor-authentication-for-office-365/ cites 20 % of users using it. Even with steady adoption from there, you're still pretty far from half which would be an absolute minimum for the auto-selection to make any sense.

A lot of companies changed to MFA even in the last 3 months, even more so since 2018. Such old numbers are pointless for a hot topic like this.

But MFA is only one reason why IMAP might not work. You can also specifically disable IMAP in Exchange. Many companies do that, because they expect their users to use MS Outlook. I know that's not the case for your University account, but it's been the case for all orgs where I had Exchange accounts in the last years. They all had IMAP disabled.

I tried to get some numbers on this, and I ran a survey of Exchange servers myself (over 22000 servers contacted), and the vast majority have IMAP disabled, with ports completely closed or timeout.

Even with the IMAP port open, we can't know whether IMAP would work for a given user, because Exchange is extremely configurable and can disable stuff on multiple levels and reasons. For example, for the Office365 test accounts I created for you, IMAP port is open, but IMAP still is disabled for the user. And it's also blocked per auth policy rules, which is yet another setting. The accounts do not have MFA enabled, and IMAP port is open, but it still doesn't work.

In the normal case that you typoed the password

That is not the normal case. The normal case is that IMAP is disabled.

The situation before autoconfig was that I would enter data, and I would get "wrong password", even though some config setting is wrong. That made setting up the account so difficult. Autoconfig fixed all that.

The autoconfig dialog helps you find the right configuration that works for you. That's its purpose in life.
We cannot show a config by default that won't work. The job of the dialog is to figure that out.

I've just re-tested the v7 patch with the 2 Office365 test domains, one has IMAP disabled on multiple levels, and the other has IMAP enabled, and they both work as expected. They have IMAP selected by default, if IMAP works for that user, otherwise Exchange.

Comment on attachment 9113096 [details] [diff] [review] Try IMAP, v7 - same as previous v7, but setting pref for testing. Same as previous v7, but setting pref for testing. We still need attachment 9110520 [details] [diff] [review] to hide Exchange.
Attachment #9113096 - Attachment description: Try IMAP, v7 → Try IMAP, v7 - same as previous v7, but setting pref for testing.

(In reply to Ben Bucksch (:BenB) from comment #106)

A lot of companies changed to MFA even in the last 3 months, even more so since 2018. Such old numbers are pointless for a hot topic like this.

So you have better data for O365? I can't find any news MFA adaption skyrocketed the last 12 months.

I tried to get some numbers on this, and I ran a survey of Exchange servers myself (over 22000 servers contacted), and the vast majority have IMAP disabled, with ports completely closed or timeout.

Irrelevant, since we're discussing O365 now.

In the normal case that you typoed the password

That is not the normal case. The normal case is that IMAP is disabled.

Eh, no. For O365, IMAP is on by default.

We cannot show a config by default that won't work.

If the password is wrong, it won't work for exchange either. Yet you want to select it automatically.

The possibility of the user entering invalid data is not an excuse for us to show users who entered the right data a non-working config.
If the user indeed entered the wrong password, we check that later on, and still allow him to correct the mistake and then select IMAP manually.

If you think a wrong password is likely, we should re-run the config, after the user corrected the password. We already do that now when he corrected the email address. That solves the case you mentioned, because we'd then discover that IMAP works with the new password, and preselect that. It would also solve AutoDiscover and the username field, the latter should be made disappear as well. So, I think that's a good point.

Filed as bug 1600954, because that is an independent issue. It should take care of this wrong password case you mentioned. It also helps in other cases.

Filed as bug 1600954

It has a patch (which should land independently of this bug), which also takes care of the wrong password case here.

Comment on attachment 9110650 [details] [diff] [review] bug1592258_exchange-back-to-square1.patch After some recent discussion and some related bugs having landed, I'm coming back to this patch. This is not a viable solution for the following reasons: 1) It introduces a two-step process which constitutes bad UI. The reason for doing so it that the user error "wrong password" case is optimised, although it is 4-10 times less likely than IMAP being blocked for other reasons, like MFA turned on or IMAP turned off. What should be optimised is the more likely case were IMAP isn't working for those reasons. Wrong password mitigation can be found in bug 1600954, which I suggest to land first. 2) After landing bug 1598861 this would totally hide the Exchange protocol from servers which are advertising it exclusively. While it's a good idea to show the user the standard protocols if available, it's not a good idea to turn a server reply on its head. Please restrict the action of this patch to what the bug is trying to address: Account setup at O365. 3) The solution is hard-coded and not configurable via the ISPDB.
Attachment #9110650 - Flags: review-
Attached patch bug1592258_exchange-fix.patch (obsolete) — Splinter Review

Implement Alex's suggestion. That is, run the logon verification already before we show the config we found. If config failed, include exchange in the available account types. The first standard protocol (IMAP) is still selected, and it's up to the user to try another one. The user is shown an error message, which we will improve on trunk (improvement not included in this patch).

This patch also runs re-ordering of the account types of the config so we ensure not to end up with pre-selected exchange when other standard protocol options are available.

Yes, this patch also affects on-premise exchange.

Attachment #9106331 - Attachment is obsolete: true
Attachment #9110961 - Attachment is obsolete: true
Attachment #9112997 - Attachment is obsolete: true
Attachment #9112999 - Attachment is obsolete: true
Attachment #9113001 - Attachment is obsolete: true
Attachment #9113003 - Attachment is obsolete: true
Attachment #9117227 - Flags: review?(alessandro)
Comment on attachment 9117227 [details] [diff] [review] bug1592258_exchange-fix.patch I need to review this patch myself. There are important security considerations here, see comment 39. This has code changes all over the place, compared to my patch, which hooks up only in one place. So, code quality is low.
Attachment #9117227 - Flags: review?(alessandro) → review?(ben.bucksch)
Attachment #9117227 - Flags: review?(ben.bucksch)
Attachment #9117227 - Flags: review?(alessandro)
Attachment #9117227 - Flags: feedback?(ben.bucksch)

Jörg wrote in comment 113:

  1. two-step process ... constitutes bad UI
  2. Please restrict the action .. to address: Account setup at O365.
  3. configurable via the ISPDB

Magnus' latest patch fixes point 1, but still fails points 2 and 3.

FWIW, my patch "Try IMAP, v7" fixes all of the above.

Comment on attachment 9117227 [details] [diff] [review] bug1592258_exchange-fix.patch Review of attachment 9117227 [details] [diff] [review]: ----------------------------------------------------------------- Magnus, you know that Ben is the initial author and of the account setup code and owner of this code (see Council discussion of Nov. 2019). He's also the inventor of the ISPDB. I don't know why you keep degrading his role here. That said, we were aiming for a solution to fix the O365 issues and not suppress Exchange for on-premise servers, especially after adding IMAP/POP3 like for Aalto.fi. A configurable solution would also be desirable.
Attachment #9117227 - Flags: review?(jorgk-bmo)
Attachment #9117227 - Flags: review?(ben.bucksch)
Comment on attachment 9117227 [details] [diff] [review] bug1592258_exchange-fix.patch Review of attachment 9117227 [details] [diff] [review]: ----------------------------------------------------------------- On a high level, what needs to be fixed in this patch: * We know that IMAP is disabled for many Office365 users. Your patch tests whether IMAP works, which is good. But even if IMAP *fails*, it still defaults to IMAP. It shows an error message "Config, username or password wrong", and requires the user to figure out what's wrong and how to solve it. You've tested IMAP and you *know* it doesn't work. You're showing a non-working config as default. That's a no-go. Experience shows that non-technical end users have severe difficulties figuring this out and will often be frustrated and abort altogether. The default config must work for all users who entered the right data. This is a basic principle of the dialog (see comment 39). * We cannot send passwords to random IMAP servers that AutoDiscover found, without user approval. Together with the requirement to not show IMAP configs for Office365 unless we know they work, and this means we need to make the test only for Office365 servers. We presume that outlook.office365.com with valid SSL is not an attacker. (If it is, then the attacker would likely be the government.) * The patch has code changes all over the place. My patch was adding only 2 lines to the normal code path for hookup, and 2 isolated functions which embody the logic. * It hardcodes everything. One request coming from multiple TB Council members, and frequent recommendation, was to make this configurable per ISPDB. Your solution hardcodes everything in the code, leaving no way to change it without a new TB release and slow deployment. Policy question: * Your patch does not leave users the choice. Owl has existing paid users. You are not allowing them to use Owl (i.e. to set up an new account in the same way they did before), even if they want to use it and already paid for it. If this is an Exchange server, and the server specifically asks to use Exchange protocols, it should at least be an non-default option. It's good and fine to make a recommendation that works well, but we should allow the user to override it. I see no reason to denying users the possibility to do so. It's not your place to dictate on end users. We leave users the choice. ::: mail/components/accountcreation/content/accountConfig.js @@ +331,5 @@ > + return 0; > + }); > + this.alternatives = alternatives; > + this.incoming = alternatives.shift(); > + }, You're hard-coding policy here. This is better expressed in the ISPDB. ::: mail/components/accountcreation/content/emailWizard.js @@ +196,5 @@ > * That means, before you actually use the config (e.g. to create an > * account or to show it to the user), you need to run replaceVariables(). > */ > this._currentConfig = null; > + this.showExchange = false; This flag is unnecessary. It should be handled as part of the config object. See my patches how to do that in a simple way. @@ +802,2 @@ > e("status-area").setAttribute("status", "result"); > + let alts = [config.incoming, ...config.incomingAlternatives]; This should be in a separate function. Putting it in a function allows the code reader to understand what this is about, and which exact code parts are for this purpose. Also, the input and output is clearer defined, if it's a separate function. @@ +902,5 @@ > }, > > showErrorMsg(errorMsg) { > gEmailWizardLogger.warn("error " + errorMsg); > + _show("status-area"); This will have wide-ranging consequences on other code. Please put it into the caller, so that it's clearer why you need it. Likely, that will then show that something's wrong in the code flow. @@ +992,5 @@ > + alt => > + alt.type == "imap" || > + alt.type == "pop3" || > + (this.showExchange && alt.type == "exchange") > + ); This is the 3. time in the patch that you filter for IMAP and/or Exchange. It's really difficult to understand why you do that, even when looking at the patch and knowing your goal. It will be even harder for a reader who is looking at the dialog for other reasons. @@ +1002,5 @@ > + this._currentConfig.incomingAlternatives.unshift( > + this._currentConfig.incoming > + ); > + this._currentConfig.incoming = config.incoming; > + } Ditto @@ +1011,5 @@ > _hide("result_select_pop3"); > _hide("result_select_exchange"); > for (let alt of alternatives) { > _show("result_select_" + alt.type); > + // XXX: we should stop putting configIncoming on the element. Please remove the comment. There's nothing wrong with that. Instead of expressing options with a string value, it's more expressive to put the actual config on it. @@ +1186,5 @@ > .classList.add("insecure"); > } > } > > + let configFilledIn = this.getConcreteConfig(); This is a good change, to move this line down here. @@ +1363,5 @@ > * should only be available after the config probing is completely finished, > * replacing what was the (Stop) button. > */ > onManualEdit() { > + this.manualEditingMode = true; This is a remnant of your old patch, and not necessary. Please remove it. @@ +2067,5 @@ > function(e) { > // failed > // Could be a wrong password, but there are 1000 other > // reasons why this failed. Only the backend knows. > + // If we got no message, then something other than verifyLogon failed. Please avoid unnecessary changes.
Attachment #9117227 - Flags: review-
Attachment #9117227 - Flags: feedback?(ben.bucksch)
Attachment #9117227 - Flags: feedback-

(In reply to Jorg K (GMT+1) (PTO to 5th Jan 2020, sporadically reading bugmail) from comment #117)

Magnus, you know that Ben is the initial author and of the account setup
code and owner of this code (see Council discussion of Nov. 2019). He's also
the inventor of the ISPDB. I don't know why you keep degrading his role
here.

To put some facts behind this, please visit these links:
https://hg.mozilla.org/releases/comm-esr10/filelog/tip/mailnews/base/prefs/content/accountcreation/fetchConfig.js
https://hg.mozilla.org/releases/comm-esr10/filelog/tip/mailnews/base/prefs/content/accountcreation/guessConfig.js
(I'm sure there is more)
https://wiki.mozilla.org/Thunderbird:Autoconfiguration, author Ben B
https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration, author Ben B

Comment on attachment 9117227 [details] [diff] [review] bug1592258_exchange-fix.patch I while ago, I've asked Ben why we couldn't remove the `config.incoming.hostname == "outlook.office365.com"` bit from his patch. You can find his answer in comment #118, in the dot point starting with "We cannot send passwords to random IMAP servers that AutoDiscover found". So based on this alone, this solution won't fly. I'm taking the liberty to remove r?Alex since this is overall not a patch that's ready to land. Personally I ask myself whether we should stop further fruitless iterations here and take the matter back to the Thunderbird Council for a decision.
Attachment #9117227 - Flags: review?(jorgk-bmo)
Attachment #9117227 - Flags: review?(ben.bucksch)
Attachment #9117227 - Flags: review?(alessandro)
Attachment #9117227 - Flags: review-

(In reply to Jorg K (GMT+1) (PTO to 5th Jan 2020, sporadically reading bugmail) from comment #117)

Comment on attachment 9117227 [details] [diff] [review]
bug1592258_exchange-fix.patch

Review of attachment 9117227 [details] [diff] [review]:

Magnus, you know that Ben is the initial author and of the account setup
code and owner of this code (see Council discussion of Nov. 2019). He's also
the inventor of the ISPDB. I don't know why you keep degrading his role
here. That said, we were aiming for a solution to fix the O365 issues and
not suppress Exchange for on-premise servers, especially after adding
IMAP/POP3 like for Aalto.fi. A configurable solution would also be desirable.

As a commercial interest who practices "self dealing for self enrichment", bucksch has no role here.
You have no authority to flip review flags, nor any authority to override the module owner. You have actually destroyed any semblance of governance on this project, making stuff up as you go along, seemingly taking 'sheriff' as a Wild West literal interpretation.

Study hard the lesson given by hsivonen and ms2ger in Bug 650776.

TL;DR: Magnus' patch unconditionally recommends IMAP in all cases, even for an Office365 user that cannot use IMAP, and throws an "wrong config or password" error message to the user, and leaves it up to the user to figure out what to do. This is not what the TB Council asked. It is also patently unhelpful for end users, and I've rejected it on that basis.

My patch v7 specifically recognizes Office365, tests whether IMAP works, and if it does, defaults to IMAP, and otherwise defaults to Exchange. This patch was implemented as direct result to the request from the TB Council. It always defaults to a working configuration. My code is also a lot smaller and more confined.

(In all cases, it allows the user to make another choice. If you want to hide Exchange in case IMAP works, I've also created a patch for that.)

We've created a test build (based on Dec 12 trunk code) that demonstrates my patches:

  • Linux (tested), Windows, Mac
  • We created Office365 test accounts with and without IMAP enabled, specifically to test this bug, and I can send credentials on request by mail.

My negative review of Magnus' patch was based on simple reasons and principles that existed long before Owl even existed, e.g. as stated on Yahoo. The principle that it needs to work for all users and not just a part of the users is common sense.

My patch would suggest IMAP for those who can use it, and Exchange for those users who cannot use IMAP, so it's actively leading users to free protocols, while still helping people to use Thunderbird who cannot use IMAP.

(In reply to Jorg K (GMT+1) (PTO to 5th Jan 2020, sporadically reading bugmail) from comment #120)

I while ago, I've asked Ben why we couldn't remove the
config.incoming.hostname == "outlook.office365.com" bit from his patch.
You can find his answer in comment #118, in the dot point starting with "We
cannot send passwords to random IMAP servers that AutoDiscover found".

That password is already sent to get the autodiscover.xml (now, even since exchange support landed). You're grasping at straws that don't exist.

There's no need for a policy in ispdb. What would that say? I can assure you we would not accept a policy that would not use IMAP when that's available. Are you saying you would? In the unlikely event a policy would be set up, that can be handled at that point.

Ben is not "the owner of this code". This is Thunderbird code, nobody's else. He's free to give feedback, but I have no intention of waiting for a r+ he won't give due to his commercial interests in not seeing that happen.

(In reply to Ben Bucksch (:BenB) from comment #122)

TL;DR: Magnus' patch unconditionally recommends IMAP in all cases, even for an Office365 user that cannot use IMAP, and throws an "wrong config or password" error message to the user, and leaves it up to the user to figure out what to do. This is not what the TB Council asked.

The council wanted Alex to figure out a plan. That plan is now coded in the patch.

Attachment #9117227 - Flags: review?(alessandro)

Ben is not "the owner of this code".

For the record, that is factually untrue. I am the legal owner of the code in question. I own the copyright and merely allowed Thunderbird and others to use the code.

Ben is not "the owner of this code".

From the Council list:
Subject: Re: [tb-council] Code Contributions

On 12 Nov 2019 12:32, Magnus Melin wrote:

There is no copyright assignment of code at Mozilla. Code remains in the ownership (or is it co-ownership?) of their original authors, except for when done under contract with Mozilla. But of course, the original owners have to agree to license the code under the MPL.

So which one is it?

The council wanted Alex to figure out a plan. That plan is now coded in the patch.

The Council asked Alex to take a look with the aim to potentially mitigate the conflict. I have actually responded to Alex plan and haven't heard anything back. Alex hasn't been empowered to approve a patch that removes the Exchange option where the server offers it exclusively. As Ben said, even users what have Owl installed won't be able to set up an account now. Please don't burden Alex with a decision that even seven councillors couldn't resolve so far.

I'm not sure how Alex' review would help right now. Ben pointed out some technical issues as the original author of the code. I don't assume you're going to land the code in case Alex gave you an r+, or is that the plan?

Apologies for the lack of answers in the email thread, I got the flu and I've been trying to push forward with other bugs, but that's not an excuse for the lack of communication, so, apologies again.

I wrote in the email my suggestion from a UX point of view, which is:

  • We should NOT rely on a 3rd party add-on to complete the account setup process. Thunderbird should be able to handle that all by itself.
  • Asking the user to install a 3rd party add-on to complete a core process is not good, especially if the user ends up not needing the add-on at all.

The argument of "We recommend the Add-On because it's the only way for us to be sure that IMAP doesn't work and the password is correct" is not a good argument for me, and it shows an issue in the Thunderbird core that should be addressed, without relying on a 3rd party add-on.

Now, I'm the first to admit that my technical knowledge in this scenario is limited, but I trust Magnus' decision and expertise, so I will test this extensively the best I can, and I will leave my review.

Alex, the problem with Magnus' patch is that it recommends (defaults to) IMAP even for those Office365 users who have IMAP disabled or cannot use it due to MFA. This is a large chuck of the Office365 users. For them, IMAP will not work, and Magnus' patch still defaults to IMAP and shows an error message 'wrong config, username or password'. Many users will see "wrong password" and try to fix this, although the password was indeed correct, so this message is actively misleading end users on the wrong path.

Notably, Magnus' patch is showing the wrong config and a misleading error message for users who entered the correct (!) data. This would happen for a significant part of the affected users.

This is directly counter to what the TB Council wrote, namely to default to Exchange for users who cannot use IMAP.

Yes, we all agree that needing an add-on to determine a bad password is not ideal. However, as I said in my e-mail reply, we should optimise the more likely case. Maybe in 5% of cases the password is entered incorrectly, even less these days with the eye icon. In mid-2018, 20% of IMAP was not functional due to MFA, and the trend has been on the rise. So there are 4-10 times more cases of non-working IMAP than wrong password user error cases. And to optimise your system for the user error case while badly serving a user group that is much larger is not good UX.

We can also display an info message when preselecting Exchange after a failed IMAP test. Details below.

For those who are included to read it, here's my last post on the internal thread:

Initial investigation has shown that the M$ IMAP server only replies "LOGIN Failed" and doesn't not detail the failure reason. So we can't distinguish a user error of entering wrong credentials from an inherent system error that makes IMAP completely unavailable.

We should optimise the UX for the general case and not for the "user error" case. The general case it that IMAP is not working due to MFA or being disabled. We have data that this percentage was at least 20% in mid-2018, with indications that it is far higher presently. We can only estimate the "user error" case, with perhaps 5%, less likely these days, since users can and will check using the eye icon.

IOW: Based on numbers, we're comparing a "user error" edge case with perhaps an occurrence of perhaps 5% of the cases with a case that is becoming more an more standard, that is IMAP not available on the server side. The likeliness of the latter is 4-10 times higher, so it's pretty clear to me, which case should be optimised.

If I understand Alex' suggestion correctly, he wants to jump directly to Magnus' step 2 where this message is displayed: "Unable to log in at server. Probably wrong configuration, username of password". Now, that's pretty confusing as a first screen particularly with a "Done" button underneath.

Hence my suggestion: In non-ESR68 versions we can add strings pointing out that the system failed to establish an IMAP authentication and suggest remedies.

So what we should do for trunk is this, IHMO: Run the IMAP test like Ben suggests, and if it failed pre-select Exchange. At the same time, display an info(!!) message that expresses the following:

"The system tried setting up the account using the standard IMAP protocol and failed. It therefore selected Exchange as a protocol that is known to work. It is possible that the IMAP setup failed due to wrong credentials, so check the credentials before proceeding with Exchange" ... or words to that extent.

For TB 68 we can't ship that message, so we'll just have to pre-select Exchange. That's not really all that bad, since after installing Owl, the user gets the chance to correct his/her password, and then IMAP might work in the second round (bug 1600954). So for TB 68 we'll have the slightly long-winded solution to detect a wrong password, and in TB 73 going forward we'll have an appropriate message. Or let's say it in different words: If Owl is the tool to detect an incorrect password reliably, let's use it!

We should add telemetry probes to see how many people set up accounts, how many end up with Exchange and how many restart with corrected credentials, be it e-mail address, domain login user or password.

(In reply to Magnus Melin [:mkmelin] from comment #124)

That password is already sent to get the autodiscover.xml (now, even since exchange support landed). You're grasping at straws that don't exist.

Let me just say that your patch opens more opens more vulnerabilities. Please think to which servers you may send the password in the future and how attackers could fake those servers. Now that I've said this, the bug needs to be security restricted.

(In reply to Alessandro Castellani (:aleca) from comment #128)

Now, I'm the first to admit that my technical knowledge in this scenario is limited, but I trust Magnus' decision and expertise, so I will test this extensively the best I can, and I will leave my review.

Well, this bug needs someone with technical knowledge, otherwise there is no need to review it. It has double r- from the author and copyright owner of the account setup code and a Thunderbird peer. Even in case of a positive review, this must not land.

Besides, if you read my comment #130 carefully, you will see what should land on trunk. That's Ben's patch or patches with the addition of an info message explaining why Exchange was selected and that could have been selected due to an incorrect password. Also note the second paragraph of comment #129.

In an ideal world, we'd transplant the part of Owl that does the exact checking into TB, but that's a different issue.

Group: mail-core-security

I gave my recommendations and explained my reasons, but Ben and Jorg don't agree with my suggestions, and that's OK.
I understood the problem, so writing "This is not good because...<reasons>" over and over will not bring us anywhere.
Reiterating the same concepts is not productive, so please stop.

I think we all have a good grasp of what's the problem, and the approach to solve it differs for a matter of opinions, not misunderstanding.

Opinion 1 - Don't offer Exchange preselected because:

  • We can't be 100% sure that IMAP doesn't work. (I know that with OWL we can know this, so please don't write it again)
  • We don't want to encourage the installation of a 3rd party add-on that might not be needed.

Opinion 2 - Offer Exchange preselected because:

  • Even if IMAP works and it was only a credentials issue, we will know that for sure thanks to Owl.
  • We won't offer an error message with a "Done" button to the user, which it can be confusing.

Both are suboptimal solutions which shouldn't be used, but we have to fix it somehow in 68.
Since my suggestion is not accepted by Ben and Jorg, I really don't know what to do here anymore. You asked for my opinion, I gave it to you, you don't like it, so we're stuck again.

Scratch this and actually solve the problem

In an ideal world, we'd transplant the part of Owl that does the exact checking into TB, but that's a different issue.

This seems to be the only logical solution to pursue. Why don't we do that?
If Owl has the ability to actually give us an accurate answer for login and config, why don't we integrate it in TB?
I think this is in the good interest of everyone:

  • TB - We know for sure what to suggest to the user because the response is accurate.
  • Ben - We won't have any reservation in suggesting Owl to the user since we know for sure that's needed.
  • User - No dead ends.

I think we should focus on this, instead of keep battling between opinion 1 and 2, which is clear it won't bring us anywhere.

Comment on attachment 9117227 [details] [diff] [review] bug1592258_exchange-fix.patch Review of attachment 9117227 [details] [diff] [review]: ----------------------------------------------------------------- This kinda works bug it's not quite there yet. **What works:** * With an O365 account with IMAP disabled it shows the Exchange option, with config error. * With an O365 account with IMAP enabled it doesn't show the Exchange option. **What doesn't work:** * "Configuration found in Mozilla ISP Database" message is shown but not a loader or another "Waiting..." message is visible, the UI looks stuck. We should not show a successful message if the autoconfig or login attempt is still running in the background. * Changing the password should reset the dialog to the initial status in order to allow the re-run of the autoconfig. Like suggested in bug 1600954. I think we should integrate it here because is quiet vital to allow users to test again their configuration after changing the password, without the necessity of accessing the Manual Config view.
Attachment #9117227 - Flags: review?(alessandro) → feedback+

Reiterating the same concepts is not productive, so please stop.

Well, I'm happy to stop reiterating the same argument the minute that you acknowledge that you're comparing apples with pears. You're comparing a user error edge case which is rather unlikely with a very common case. If we can't have a perfect solution, we should have one that works well in the more likely use case. That's what you said during our call, IIRC. I even tried to mitigate any exchange selection confusion by clearly displaying an info message. Whilst TB cannot accurately tell whether we're dealing with a user error case, the user most likely can. Sadly in your deliberation you have ignored that suggestion, as you have ignored my e-mail to the people involved here.

So in absence of any acknowledgement, the only option I have is to repeat the point. So please adhere to efficient and productive communication before telling others to mend their ways :-(

The patch here has the five problems: 1) It opens an additional vulnerability 2) It affects on-premise Exchange servers 3) It has a UX issue in that a non-functioning option is presented 4) Existing Owl users can't set up a new account 5) it has implementation issues.

Yes, I repeated that now, but again, you didn't address these concerns directly related to the new patch.

I saw a new comment just came in in which you report on testing with the O365 test accounts. That's insufficient since the patch also affects on-premise Exchange accounts where after bug 1598861 the "authoritative" server reply will now be completely ignored. Also, please comment on comment #118, last dot point "Policy question".

If Owl has the ability to actually give us an accurate answer for login and config, why don't we integrate it in TB?

We'd essentially put Owl into Thunderbird. It needs to parse web pages to get this specific error. The auth code is highly complex and we constantly improve it. I agree it would be nice, if this was possible, but it's 100x too complex for that. (That 100x is not hyperbole, but an actual value based both on code size and frequency of changes.)

I think I can resolve at least one core opinion question you posed:

Alex wrote:

Opinion 1 - Don't offer Exchange preselected ...
Opinion 2 - Offer Exchange preselected ...

This question has been discussed by the TB Council, and the Council has ruled on it. We will offer Exchange preselected, where appropriate.

Note what Magnus wrote in comment 14:

if Exchange was available, AND the normal IMAP/POP auth failed: that would be the appropriate place to advertise this alternative.

That's exactly what I implemented.

I've also fixed bug 1600954 based on Magnus' feedback here. I've honestly tried.

(In reply to Jorg K (GMT+1) (PTO to 5th Jan 2020, sporadically reading bugmail) from comment #131)

(In reply to Magnus Melin [:mkmelin] from comment #124)

That password is already sent to get the autodiscover.xml (now, even since exchange support landed). You're grasping at straws that don't exist.

Let me just say that your patch opens more opens more vulnerabilities. Please think to which servers you may send the password in the future and how attackers could fake those servers. Now that I've said this, the bug needs to be security restricted.

You realize that "fixing" that would require gutting out the exchange detection entirely, right? It can't detect a thing without sending credentials.
But it's not a security issue, you're just being purposely misled. We're sending credentials, over a secure connection, to the domain you want to set up an account for. If the server is compromised, you're out of luck, but there's no way to prevent that.

Re policy question: Owl (when already installed) can perfectly well enable showing the exchange option, don't you think?

Group: mail-core-security

Yes, I realise that some attack vectors exist due to the Exchange detection. Please don't remove the security flag from a bug that discussed vulnerabilities. That really doesn't serve anyone. I'll send you information one an additional attack vector your patch introduces in a PM.

Group: mail-core-security

(In reply to Jorg K (GMT+1) (PTO to 5th Jan 2020, sporadically reading bugmail) from comment #134)

The patch here has the five problems:

  1. It opens an additional vulnerability

Nothing additional. And no vulnerability.

  1. It affects on-premise Exchange servers

It does, but for those it's not even a question of working IMAP or not.
Ben even told Owl could check imap and uninstall if working. In the case for on premise exchange, it will be working and with the patch we even verified the login. I don't see an issue here.

  1. It has a UX issue in that a non-functioning option is presented

Which might work after changing the password.

  1. Existing Owl users can't set up a new account

Owl can implement that part. Less than 10 lines of code?

  1. it has implementation issues.

I'll look at the additions, but those are minor.

(In reply to Magnus Melin [:mkmelin] from comment #139)

Nothing additional. And no vulnerability.

Sent as PM.

It does, but for those it's not even a question of working IMAP or not.
Ben even told Owl could check imap and uninstall if working. In the case for on premise exchange, it will be working and with the patch we even verified the login. I don't see an issue here.

The issue you keep ignoring is that after bug 1598861 the "authoritative" server reply will now be completely ignored. There is no mandate for this.

Which might work after changing the password.

Correct, it might work. But it certainly will not work in the majority of cases. Not even you deny that. Or do you claim that more than 20% of users mistype the their password? 20% was apparently uptake of MFA according to a mid-2018 study. I know, you convinced most people by now that the "wrong password" case is of paramount importance while ignoring my suggestion to show a message when Exchange is auto-selected alerting to user to checking the password before proceeding.

(In reply to Jorg K (GMT+1) (PTO to 5th Jan 2020, sporadically reading bugmail) from comment #140)

The issue you keep ignoring is that after bug 1598861 the "authoritative" server reply will now be completely ignored. There is no mandate for this.

Funny you should mention this. Suggestion: look at the autodiscover.xml response from the O365 test account where IMAP is enabled.
Spoiler alert: no IMAP listed. Does IMAP work? Oh yes it does. So you're saying Microsoft misconfigured their main world wide server?

Hmm, I don't see any relation to the bug at hand. We already landed bug 1598861 to add "missing" IMAP for AutoDiscover responses. O365 accounts in TB are driven via the ISPDB via autoconfig XML files.

Just to answer what seems like a further attempt to distract: Yes, Micro$oft make Exchange, they sell O365 and Outlook, they classified IMAP as insecure "legacy" protocol, the internet is full of M$-sponsored articles urging people to use MFA and not use IMAP, so why on earth would O365 list IMAP in the AutoDiscover response?

EDIT: Just guessing: Not showing IMAP even if working might be a default config for Exchange servers, that's what might have happened at Aalto.fi.

Attached patch Try IMAP and verify password, v8 (obsolete) — Splinter Review

alexca wrote in comment 132:

Scratch this and actually solve the problem

This patch is in direct response to Aleca's suggestion in comment 132, and tries to implement Aleca's suggestion.

We've found a way to check whether the password is valid, for Office365, independent of IMAP and MFA enabled or disabled. That means if you enter a wrong password, we should detect that even before we try IMAP. This allows the user to correct it, then we try IMAP again, and if IMAP is enabled, it can be selected by default.

This considers Magnus concern about the "wrong password" case, solves it in the way Alecs suggested, and should resolve the bug here.

Attachment #9113096 - Attachment is obsolete: true
Attachment #9117584 - Flags: review?(alessandro)
Attachment #9117584 - Flags: feedback?(neil)

Try builds:

Comment on attachment 9117584 [details] [diff] [review] Try IMAP and verify password, v8 Review of attachment 9117584 [details] [diff] [review]: ----------------------------------------------------------------- I think this is the right direction, but unfortunately this patch breaks a bunch of things. **What doesn't work** * Setting up a regular IMAP account (non O365) doesn't seem to work anymore as the manual config is always returned. I tested it with my Fastmail account and correct credentials and it always goes to `Looking up configuration: trying common server names...` and failing. * Testing with an O365 account with IMAP enabled and WRONG password, the selection defaults to Exchange. It should show the "wrong credentials" error message. * The successful message `Configuration Found...` is showed prematurely on every occasion, leaving the user hanging without any feedback during the login attempt. That shouldn't be shown until the very end of every process. **What works** * Testing with an O365 account with IMAP disabled and WRONG password, the error correctly alerts the user of wrong credentials. * Testing with an O365 account with IMAP disabled and CORRECT password, the selection defaults to Exchange.
Attachment #9117584 - Flags: review?(alessandro) → review-

HI Alex,

thanks for looking into this.

  • Setting up a regular IMAP account (non O365) doesn't seem to work anymore as the manual config is always returned. I tested it with my Fastmail account and correct credentials and it always goes to Looking up configuration: trying common server names... and failing.
  • The successful message Configuration Found... is showed prematurely on every occasion, leaving the user hanging without any feedback during the login attempt. That shouldn't be shown until the very end of every process.

Thanks. I will look into these.

  • Testing with an O365 account with IMAP enabled and WRONG password, the selection defaults to Exchange. It should show the "wrong credentials" error message.

I tested that and that case worked for me and it did show the "username or password invalid" error message. I will check with you personally to find out why it didn't work for you.

Attached patch Try IMAP and verify password, v9 (obsolete) — Splinter Review

This should resolve the issues that Alex mentioned.

The case O365 account with IMAP enabled and WRONG password was probably failing due to caching (testing with working password before entering wrong password), so I disabled the cache now. That fixed it for me in my testing.

Attachment #9117584 - Attachment is obsolete: true
Attachment #9117584 - Flags: feedback?(neil)
Attachment #9118083 - Flags: review?(alessandro)
Comment on attachment 9118083 [details] [diff] [review] Try IMAP and verify password, v9 Review of attachment 9118083 [details] [diff] [review]: ----------------------------------------------------------------- This works as expected, as it doesn't interfere with a regular non-O365 account, and it returns Exchange pre-selected only if the credentials are correct and IMAP is disabled. I like this solution, as I think it covers all the possible scenarios and doesn't mislead users into something they don't need. Magnus, can you test this with your aalto.fi account and see how it behaves? Ben, can you please update the commit message to: "Bug 1592258 - Default to Exchange protocol for Office365 with IMAP disabled in emailWizard. r=aleca" (or maybe Jorg has a better suggestion) r+ for me, but of course, since the nature of this bug and its history, I'd recommend waiting for Magnus' additional review on this.
Attachment #9118083 - Flags: review?(mkmelin+mozilla)
Attachment #9118083 - Flags: review?(alessandro)
Attachment #9118083 - Flags: review+

I fixed a few comments and removed some commented-out code.
Checked linting.
Removed prefs hunk. For testing set mailnews.auto_config_url to https://www.beonex.com/autoconfig/test/.
Fixed commit message (and patch format).
Tested:

  • Setting up mail @jorgk.com
  • Setting up mail @Fastmail
  • O365 test accounts with and without working IMAP, both with correct and incorrect password.

I also found an issue :-( - I tested with magnus@openclick384.onmicrosoft.com, at first with the correct password. That defaulted to Exchange since for that account IMAP is disabled. Next I tried with a bad password. That gave the bad password message. Then I corrected the password and the panel doesn't actually clear the "invalid password" message. I thought changing the password should cause a complete "start over"? After correcting the password, I still got the same error. Maybe O365 had locked me out by then?

This patch has been around for a week and Magnus has been rather active during this time. So there was plenty of opportunity for a drive-by review.

This is the r+ from Alex, I'm happy to r+ it of you clear the message if someone changes the password. And maybe check what's happening with that account I mentioned.

Attachment #9118083 - Attachment is obsolete: true
Attachment #9118083 - Flags: review?(mkmelin+mozilla)
Attachment #9118117 - Flags: review+
Attachment #9118117 - Attachment is patch: true
Attachment #9118083 - Attachment is obsolete: false

I corrected the password and the panel doesn't actually clear the "invalid password" message. I thought changing the password should cause a complete "start over"?

Changing the password removes the existing config results, but does not immediately clear the error message. The message is cleared once you click "Continue" and we check the new config. This is what's intended, and also what I see. I'll attach a screencast of what I see, just in case you see something else.

Assignee: mkmelin+mozilla → ben.bucksch

I corrected the password and the panel doesn't actually clear the "invalid password" message. I thought changing the password should cause a complete "start over"?

As Ben said, changing the password reverts back to the start panel in case the Protocol selection or the Manual config panels are visible.
The error message shouldn't be cleared until the user triggers the autoconfig again, as it's important to have a reference of what went wrong until the user is satisfied with the changes made to the typed info.

Attachment #9118117 - Flags: review?(mkmelin+mozilla)
Comment on attachment 9118117 [details] [diff] [review] Try IMAP and verify password, v9 (JK) OK, I cleared the lock-out for magnus@openclick384.onmicrosoft.com by logging in via the web interface at https://www.office365.com. So it works again like during my first test. (In reply to Alessandro Castellani (:aleca) (PTO to 17th Jan 2020, sporadically reading bugmail) from comment #152) > As Ben said, changing the password reverts back to the start panel in case the Protocol selection or the Manual config panels are visible. > The error message shouldn't be cleared until the user triggers the autoconfig again, as it's important to have a reference of what went wrong until the user is satisfied with the changes made to the typed info. I'm not sure that I agree 100% here, but hey, I'm not the UX guy. So for me this is good to go. I'll stick an additional r+ onto it, so one from Alex and one from me.
Attachment #9118117 - Flags: review+
Comment on attachment 9118117 [details] [diff] [review] Try IMAP and verify password, v9 (JK) Review of attachment 9118117 [details] [diff] [review]: ----------------------------------------------------------------- Would you mind setting up a test account with MFA enabled? I don't think we got one of those, or then I misplaced it.

We didn't have one of those yet.

@Magnus: If you test this, please make sure to apply my patch in attachment 9118083 [details] [diff] [review], not Jörg's.

Would you mind setting up a test account with MFA enabled?

Sure. I just set one up, and sent you the credentials by email.

Comment on attachment 9118117 [details] [diff] [review] Try IMAP and verify password, v9 (JK) Review of attachment 9118117 [details] [diff] [review]: ----------------------------------------------------------------- Seems to work. I'll attach an updated patch with the below changes. For future reference, the header with MFA: - (MFA enforced, right pw) X-AutoDiscovery-Error: LiveIdBasicAuth:RecoverableAuthFailure:<UNH:1247853834><RequestId=af0d125f-6314-4d06-b0a4-0075def05911><UIPH:-786506447><X-forwarded-for:-786506447><PTS:False><UP:0><BlockStatus:8><RST2-Business-0ms-188ms-0ms-ppserver=PROD-AMS2-005.ProdSlices rid:aa3c847d-34b1-4455-bac7-5ad19bc72800-puid=><LiveIdSTS-LogonFailure-RecoveryPossible-'<S:Fault xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:FailedAuthentication</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Authentication Failure</S:Text></S:Reason><S:Detail><psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048823</psf:value><psf:internalerror><psf:code>0x80048823</psf:code><psf:text>AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.</psf:text></psf:internalerror></psf:error></S:Detail></S:Fault>'><UserType:ManagedBusiness><LogonFailed-recoverable><RecoverableLogonFailed>; - (MFA enforced, wrong pw) X-AutoDiscovery-Error: LiveIdBasicAuth:InvalidCreds:<UNH:1247853834><RequestId=e89b87cf-c84e-4678-a9a5-195da9de11d8><UIPH:-786506447><X-forwarded-for:-786506447><PTS:False><UP:0><BlockStatus:8><RST2-Business-0ms-143ms-0ms-ppserver=PROD-AMS2-013.ProdSlices rid:a884d6e6-ed6a-44a7-8f2a-784ef0d43f00-puid=>LiveIdSTS-LogonFailure-'0x80048821'<Tarpit><UserType:ManagedBusiness><LogonFailed-BadPassword><RepeatedBadPassword>; ::: mail/components/accountcreation/content/emailWizard.js @@ +808,5 @@ > }, > > /** > + * For Office365, see whether IMAP works by trying to log in. > + * If it fails, make the Exchange config the default. this should mention that why we do this is only due to MFA possibly being enabled @@ +825,5 @@ > + ) > + ) { > + resultCallback(config); > + return; > + } Please move this if clause to the call site. We don't need yet anther layer of callbacks to make the code less readable. @@ +885,5 @@ > + }, > + successCallback, > + ex => { > + let err = fetch._request.getResponseHeader("X-AutoDiscovery-Error"); > + console.log("Auth fail reason: " + err); let's use same logging as usual in this file
Attachment #9118117 - Flags: review?(mkmelin+mozilla) → review+

Will land this shortly, then we can deal with the other issues in other bugs.

Attachment #9110650 - Attachment is obsolete: true
Attachment #9117227 - Attachment is obsolete: true
Attachment #9118083 - Attachment is obsolete: true
Attachment #9118117 - Attachment is obsolete: true
Attachment #9118306 - Flags: review+

https://hg.mozilla.org/comm-central/rev/a5a26b1ee9ecaa232a01eea49a1cba758a05778b

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 73.0
Attachment #9118306 - Attachment is patch: true

this should mention that why we do this is only due to MFA possibly being enabled

MFA is only one reason why IMAP might not work. There are several other reasons. IMAP can also be explicitly disabled.

Please move this if clause to the call site. We don't need yet anther layer of callbacks to make the code less readable.

Given this code is only for Office365, I put it into a separate function instead of putting it all in a common function which had another purpose.

Apart from that, thanks for landing this.

Status: RESOLVED → VERIFIED
Attachment #9118306 - Flags: approval-comm-esr68?
Attachment #9118306 - Flags: approval-comm-beta+
status-thunderbird72: --- → fixed
status-thunderbird73: --- → fixed
Target Milestone: Thunderbird 72.0 → Thunderbird 73.0
Comment on attachment 9118306 [details] [diff] [review] ben-office365-try-imap-1592258-10.diff The ISPDB change also needs to happen
Attachment #9118306 - Flags: approval-comm-esr68? → approval-comm-esr68+

The ISPDB change also needs to happen

Yes. The fix here needs to deploy first, though.

Group: mail-core-security → core-security-release

Magnus is attempting to back out the patch here in bug 1528136, with attachment 9135402 [details] [diff] [review]. As mentioned repeatedly here and to the TB Council, the patch here was not only for MFA, but also for several other cases where IMAP is disabled or the user cannot use Thunderbird IMAP for other reasons. The most obvious is that admins can and do disable IMAP on Office365. There are various other options as well. Office365 is extremely configurable, and companies do use this in various ways to restrict access to only the "supported" configuration (usually Windows + MS Outlook plus Outlook Web Access plus ActiveSync), which means it's very hard to tell why a certain login does not work. This patch is still needed, even with MFA support for IMAP on Office365.

Owl supports 3 native Exchange protocols, so this is still helpful for people who cannot use Thunderbird with the native IMAP.

Magnus, this backout is in direct violation of TB Council decisions.

You keep claiming that only MFA users needed this, but this is factually wrong, as I've stated a number of times here in this very bug. There are a number of reasons why it might not work, e.g. IMAP being disabled by the domain admin, but also other custom configurations. I've even provided test Office365 accounts that show this exact behavior. You consistently ignore the facts, and you keep pretending that these cases do not exist.

This backout had an r- by me, who wrote most of this module and also still maintains this module, so it cannot land. In addition, your backout is also in direct violation of standing TB Council decisions. The TB Council decision had considered not only the MFA case, but also the disabled IMAP case and the custom configurations.

Most importantly, your backout breaks a certain set of users by offering a non-working config by default. We don't do that. This backout is simply destructive. The fix for this bug here is still needed.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: