Bad pop3 login method - "Sending of username did not succeed" in 128.4.0esr and 129.0b6, worked in 115
Categories
(MailNews Core :: Networking: POP, defect)
Tracking
(thunderbird_esr128 affected)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr128 | --- | affected |
People
(Reporter: mail, Assigned: gds)
References
(Regression)
Details
(Keywords: regression)
Attachments
(2 files)
screenshots.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Steps to reproduce:
Bad pop3 login method
(See Wireshark records below)
When using Thunderbird 128 / 129 in combination with a german "KimClientmodul", the authentication failes. It worked with Thunderbird 115.
KimClient modules are certified and based on the gematik standard. See:
https://gemspec.gematik.de/docs/gemSpec/gemSpec_CM_KOMLE/gemSpec_CM_KOMLE_V1.18.0/#3.1 (German Language) for the newest specification.
Thunderbird is often used by medical doctors in the german area to handle medical communication via KIM (Kommunikation im Medizinwesen).
Actual results:
Login Failed with 128 and 129. "Sending if username did not succeed"
Wireshark:
+OK <1e301107.1730283217537@localhost> POP3 server (KOM-LE Clientmodul) ready
CAPA
+OK
TOP
USER
SASL PLAIN
UIDL
.
AUTH PLAIN
-ERR
QUIT
+OK POP3 Server (KOM-LE Clientmodul) signing off.
Log output:
pop3.server1.1: Got an error name=pop3UsernameFailure, the server said: Pop3Client.sys.mjs:1573:18
_actionError resource:///modules/Pop3Client.sys.mjs:1573
_actionAuthPlain resource:///modules/Pop3Client.sys.mjs:916
_onData resource:///modules/Pop3Client.sys.mjs:367
Expected results:
Wireshark for 115, working:
+OK <f91e3f39.1730280771862@localhost> POP3 server (KOM-LE Clientmodul) ready
CAPA
+OK
TOP
USER
SASL PLAIN
UIDL
.
USER hasomed.test.hanno@arv.kim.telematik-test#10.30.8.6:995#616123400-M#616123400-C#616123400-AP
+OK
PASS xxxxxxxxxxxxxxxxxxxxxxx
+OK Welcome hasomed.test.hanno@arv.kim.telematik-test
STAT
+OK 15 56114
LIST
+OK 15 56114
1 3579
2 3739
3 3743
4 3973
5 3742
6 3733
7 3733
8 3733
9 3738
10 3732
11 3730
12 3738
13 3736
14 3738
15 3727
.
UIDL
+OK unique-id listing follows
1 0000005b6551faeb
2 0000005e6551faeb
3 0000005f6551faeb
4 000000606551faeb
5 000000616551faeb
6 000000656551faeb
7 000000676551faeb
8 000000686551faeb
9 0000006a6551faeb
10 0000006c6551faeb
11 0000006d6551faeb
12 0000006f6551faeb
13 000000706551faeb
14 000000726551faeb
15 000000746551faeb
.
QUIT
+OK POP3 Server (KOM-LE Clientmodul) signing off.
|
||
Comment 1•1 month ago
|
||
I guess that would be from bug 1897045
|
Reporter | |
Comment 2•1 month ago
|
||
Yes, that's it. The commit clearly changed it.
When Thunderbird receives the -ERR, does it not retry with the next method (as seen in the referenced commit) automatically?
|
Assignee | |
Comment 3•1 month ago
|
||
It looks like the server is saying it support AUTH PLAIN but when it receives it it returns the -ERR response. So that looks like a server bug.
However, TB doesn't fall back to using USERPASS like it should, so that seems like a TB bug.
I need to do some detailed test using my POP3 dovecot server in a while. (In a power outage right now.)
|
|
Assignee | |
Comment 4•1 month ago
•
|
||
I don't see anything in the specs for your POP3 server that indicate it doesn't support PLAIN authentication (and it claims it does in the CAPA response).
If you could paste in the shift-ctrl-j log it might show something more. For example, here's my Dovecot server log with the TB code modified to send an unsupported AUTH PLAIN command (AUTH PLAINgds).
01:56:22.016 pop3.server45.3: C: CAPA Pop3Client.sys.mjs:573:20
01:56:22.069 pop3.server45.3: S: +OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
USER
SASL PLAIN EXTERNAL CRAM-MD5 GSSAPI SCRAM-SHA-256
.
Pop3Client.sys.mjs:351:18
01:56:22.070 pop3.server45.3: Possible auth methods: PLAIN,USERPASS Pop3Client.sys.mjs:688:18
01:56:22.071 pop3.server45.3: Current auth method: PLAIN Pop3Client.sys.mjs:759:18
01:56:22.071 pop3.server45.3: C: AUTH PLAINgds Pop3Client.sys.mjs:573:20
01:56:22.127 pop3.server45.3: S: -ERR [AUTH] Unsupported authentication mechanism.
Pop3Client.sys.mjs:351:18
01:56:22.128
pop3.server45.3: Got an error name=pop3UsernameFailure, the server said: [AUTH] Unsupported authentication mechanism. Pop3Client.sys.mjs:1573:18
01:56:22.129 pop3.server45.3: Done with status=0x80004005 Pop3Client.sys.mjs:1617:18
01:56:22.146 pop3.server45.3: C: QUIT Pop3Client.sys.mjs:573:20
01:56:22.154 pop3.server45.3: Connection closed. Pop3Client.sys.mjs:447:18
01:56:22.158 pop3.server45.3: S: +OK Logging out
Pop3Client.sys.mjs:351:18
Anyhow, there is also a bug in TB in that other auth mechanisms are not tried when the attempted auth error is "auth method unsupported". TB only tries another mechanism when the error is actually that the password fails. So in your case, AUTH PLAIN is failing as unsupported and TB doesn't try to use USERPASS mechanism like it should. And in my log above, there is also no attempt to use USERPASS when AUTH PLAINgds fails.
|
|
Reporter | |
Comment 5•1 month ago
|
||
Ok, here is the full log trying to connect.
09:40:11.549 pop3.server1.7: Connecting to pop://127.0.0.1:10995 Pop3Client.sys.mjs:141:18
09:40:11.556 pop3.server1.7: Connected Pop3Client.sys.mjs:295:18
09:40:11.558 pop3.server1.7: S: +OK <74d24c36.1730450411557@localhost> POP3 server (KOM-LE Clientmodul) readyPop3Client.sys.mjs:351:18
09:40:11.560 pop3.server1.7: C: CAPA Pop3Client.sys.mjs:573:20
09:40:11.562 pop3.server1.7: S: +OKTOP
USER
SASL PLAIN
UIDL
.
Pop3Client.sys.mjs:351:18
09:40:11.563 pop3.server1.7: Possible auth methods: PLAIN,USERPASS Pop3Client.sys.mjs:688:18
09:40:11.563 pop3.server1.7: Current auth method: PLAIN Pop3Client.sys.mjs:759:18
09:40:11.563 pop3.server1.7: C: AUTH PLAIN Pop3Client.sys.mjs:573:20
09:40:11.565 pop3.server1.7: S: -ERRPop3Client.sys.mjs:351:18
09:40:11.565 pop3.server1.7: Got an error name=pop3UsernameFailure, the server said: Pop3Client.sys.mjs:1573:18
09:40:11.565 pop3.server1.7: Done with status=0x80004005 Pop3Client.sys.mjs:1616:18
09:40:11.577 pop3.server1.7: C: QUIT Pop3Client.sys.mjs:573:20
09:40:11.590 pop3.server1.7: Connection closed. Pop3Client.sys.mjs:447:18
09:40:11.591 pop3.server1.7: S: +OK POP3 Server (KOM-LE Clientmodul) signing off.Pop3Client.sys.mjs:351:18
09:40:11.615 sizeToContent() ist veraltet und wird in Zukunft entfernt werden. commonDialog.js:132:10
I don't see anything in the specs for your POP3 server that indicate it doesn't support PLAIN authentication (and it claims it does in the CAPA response).
That might be possible. I am not that deep into the pop3 standard and sadly we are not able to change anything on the server side.
With this information i will try to find a way to report it to the server company.
Anyhow, there is also a bug in TB in that other auth mechanisms are not tried when the attempted auth error is "auth method unsupported". TB only tries another mechanism when the error is actually that the password fails. So in your case, AUTH PLAIN is failing as unsupported and TB doesn't try to use USERPASS mechanism like it should. And in my log above, there is also no attempt to use USERPASS when AUTH PLAINgds fails.
Thank you for the deep analysis. Your suggestion seems to be the fix which will help the german Thunderbird + KIM users ( and us ;) ).
|
|
Assignee | |
Comment 6•1 month ago
•
|
||
Maybe there is a good explanation for why your server rejects the AUTH PLAIN command. But, regardless, I now have a fix that, after AUTH PLAIN fail, correctly moves on and tries AUTH LOGIN (if supported) and then USER/PASS login as last resort. So this should fix the problem you are seeing.
Right now I'm making a "try" build of the current daily version with my fix applied here: https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=f581f48c3ebb23d719e1d0327962b68efdb9775d
When this finishes you should be able to click on on the green "B" next to your desired computer platform and then down below click on "Artifacts and Debugging" tab and you should find the installation file to download:
- Linux or linux64 is target.tar.bz2 (just unzip and run thunderbird executable inside)
- Windows or windows64 is target.installer.exe
- Mac/OS is target.dmg
If you could verify that this fixes the problem by running the appropriate "try" build it would be most helpful.
I still need to submit a formal patch for approval to incorporate the fix into daily, then beta and finally the ESR release.
|
|
Assignee | |
Comment 7•1 month ago
|
||
User reported error on "AUTH PLAIN" command. This did not cause AUTH LOGIN or USERPASS
to be tried, so authentication failed. This now ensures that any failure during AUTH
PLAIN or AUTH LOGIN causes the next supported authentication mechanism to be tried.
|
|
Reporter | |
Comment 8•1 month ago
|
||
(In reply to gene smith from comment #6)
Maybe there is a good explanation for why your server rejects the AUTH PLAIN command. But, regardless, I now have a fix that, after AUTH PLAIN fail, correctly moves on and tries AUTH LOGIN (if supported) and then USER/PASS login as last resort. So this should fix the problem you are seeing.
Right now I'm making a "try" build of the current daily version with my fix applied here: https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=f581f48c3ebb23d719e1d0327962b68efdb9775d
When this finishes you should be able to click on on the green "B" next to your desired computer platform and then down below click on "Artifacts and Debugging" tab and you should find the installation file to download:
- Linux or linux64 is target.tar.bz2 (just unzip and run thunderbird executable inside)
- Windows or windows64 is target.installer.exe
- Mac/OS is target.dmg
If you could verify that this fixes the problem by running the appropriate "try" build it would be most helpful.
I still need to submit a formal patch for approval to incorporate the fix into daily, then beta and finally the ESR release.
I will test it today at work. May take some hours until I have a time slot available.
|
|
Reporter | |
Comment 9•1 month ago
|
||
The fix works. Thank you.
Here is the ful log as proof ;)
pop3.server2.5: Connecting to pop://127.0.0.1:10995 Pop3Client.sys.mjs:141:18
pop3.server2.5: Connected Pop3Client.sys.mjs:295:18
pop3.server2.5: S: +OK <1da3b83f.1730705300026@localhost> POP3 server (KOM-LE Clientmodul) readyPop3Client.sys.mjs:351:18
pop3.server2.5: C: CAPA Pop3Client.sys.mjs:573:20
pop3.server2.5: S: +OK
TOP
USER
SASL PLAIN
UIDL
.
Pop3Client.sys.mjs:351:18
pop3.server2.5: Possible auth methods: PLAIN,USERPASS Pop3Client.sys.mjs:688:18
pop3.server2.5: Current auth method: PLAIN Pop3Client.sys.mjs:759:18
pop3.server2.5: C: AUTH PLAIN Pop3Client.sys.mjs:573:20
pop3.server2.5: S: -ERR
Pop3Client.sys.mjs:351:18
pop3.server2.5: AUTH PLAIN failed, the server said: Pop3Client.sys.mjs:923:22
pop3.server2.5: Current auth method: USERPASS Pop3Client.sys.mjs:759:18
pop3.server2.5: C: USER hasomed.test.hanno@arv.kim.telematik-test#10.30.8.6:995#616123400-M#616123400-C#616123400-AP Pop3Client.sys.mjs:573:20
pop3.server2.5: S: +OK
Pop3Client.sys.mjs:351:18
pop3.server2.5: C: PASS iM1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pop3.server2.5: S: +OK Welcome hasomed.test.hanno@arv.kim.telematik-test
Pop3Client.sys.mjs:351:18
pop3.server2.5: C: STAT Pop3Client.sys.mjs:573:20
pop3.server2.5: S: +OK 15 56114
Pop3Client.sys.mjs:351:18
pop3.server2.5: Folder lock acquired uri=mailbox://hasomed.test.hanno%40arv.kim.telematik-test%2310.30.8.6%3A995%23616123400-M%23616123400-C%23616123400-AP@127.0.0.1/Inbox. Pop3Client.sys.mjs:1153:22
pop3.server2.5: C: LIST Pop3Client.sys.mjs:573:20
pop3.server2.5: S: +OK 15 56114
1 3579
................
.
Pop3Client.sys.mjs:351:18
pop3.server2.5: C: UIDL Pop3Client.sys.mjs:573:20
pop3.server2.5: S: +OK unique-id listing follows
1 0000005b6551faeb
..................
.
Pop3Client.sys.mjs:351:18
pop3.server2.5: Folder lock released. Pop3Client.sys.mjs:1422:22
pop3.server2.5: Done with status=0x0 Pop3Client.sys.mjs:1667:18
pop3.server2.5: C: QUIT Pop3Client.sys.mjs:573:20
pop3.server2.5: Connection closed. Pop3Client.sys.mjs:447:18
pop3.server2.5: S: +OK POP3 Server (KOM-LE Clientmodul) signing off.
Pop3Client.sys.mjs:351:18
|
|
Assignee | |
Comment 10•27 days ago
|
||
Set check-in needed.
Not sure if "regression" flag should be set for this since the changes in the "regressed by" bug 1897045 just revealed the issues fixed in this bug.
|
|
Assignee | |
Updated•27 days ago
|
|
||
Comment 11•26 days ago
|
||
Pushed by arschmitz@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/74b5849c505d
Failure of AUTH PLAIN or AUTH LOGIN were not falling back to USERPASS. r=mkmelin
Description
•