Closed Bug 1928803 Opened 1 year ago Closed 1 year ago

POP3 mechanism silently stops after first bad APOP password and doesn't prompt for corrected password

Categories

(MailNews Core :: Networking: POP, defect)

Product:
MailNews Core
Component:
Networking: POP
Version:
Thunderbird 128
Type:
defect

Tracking

(thunderbird_esr128 affected, thunderbird133 affected)

Status:
RESOLVED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
thunderbird_esr128 --- affected
thunderbird133 --- affected

People

(Reporter: cubasuras, Assigned: gds)

References

Details

Attachments

(1 file)

Bug 1928803 - Allow APOP authenication for POP3 to prompt for corrected password. r=mkmelin
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

I have several POP3 accounts and several IMAP accounts.
On one POP3 account, I deleted the password.
When prompted for a new password, I entered a wrong password and requested to store it.

I am running Thunderbird 128.4.0esr (64-bit) under Linux Ubuntu-Mate 24.04.1 LTS.

Actual results:

A connection was done to one POP3 account and messages were fetched.

A connected failed to another POP3 account due to the wrong password.

No error was displayed and no new password was requested.

No other message could be fetch from any POP3 account (until restarting Thunderbird).

Clicking on "Get messages" in the menu, or on a POP3 mailbox which has a correct mailbox, has not effect (nothing appears on the status bar, no error is displayed, no message is fetched).

I believe that this bug is quite serious.

Meanwhile, the IMAP accounts work correctly.

Setting mailnews.pop3.loglevel="All", the last lines for POP3 in the Error Console are:
12:06:19.813 pop3.server12.2: S: +OK POP3 ready <XXX@pop3.priv.proxad.net>
12:06:19.829 pop3.server12.2: C: CAPA
12:06:19.863 pop3.server12.2: S: +OK Capability list follows
TOP
USER
UIDL
SASL PLAIN LOGIN
.
12:06:19.864 pop3.server12.2: Possible auth methods: APOP
12:06:19.864 pop3.server12.2: Current auth method: APOP
12:06:19.868 pop3.server12.2: C: Logging suppressed (it probably contained auth information)
12:06:19.893 pop3.server12.2: Connection closed.
12:06:19.894 pop3.server12.2: S: -ERR Invalid login or password

Expected results:

A dialog should appear: "login error: retry / enter new password / retry".

The messages in the other POP3 accounts should be fetched despite the password error in one POP3 account.

The POP3 mechanism should not be stopped.

The "Get messages" functions should be work on POP3 accounts

Question: Are you using APOP authentication on all your POP3 accounts?
How are your server settings for all POP3 accounts set? Specifically,

  • Connection security:
  • Authentication method:

FYI, I'm working on a similar POP3 issue here: bug 1928026.
But don't think this is a dupe.

Flags: needinfo?(cubasuras)
See Also: → 1928026

Miguel J, It might help to know the type of POP3 server you are accessing, e.g., Dovecot, gmail, yahoo etc.

@gene smith, I have 8 POP3 accounts. In the order of retrieval, they are:

  1. pop.mail.yahoo.com, SSL/TLS on port 995, with OAuth2
    (during my test, this account works)

  2. pop.free.fr, SSL/TLS on port 995, with encrypted password
    (during my test, this account has a wrong password and fails; since no other account seems to be queries, I would bet that they don't matter. However, since you are requesting that, I can give you the whole list)

  3. pop.free.fr, SSL/TLS on port 995, with encrypted password

  4. pop.free.fr, SSL/TLS on port 995, with encrypted password

  5. outlook.office365.com, SSL/TLS on port 995, with OAuth2

  6. pop.mail.yahoo.com, SSL/TLS on port 995, with OAuth2

  7. pop.mail.yahoo.com, SSL/TLS on port 995, with OAuth2

  8. pop.easyname.com, SSL/TLS on port 995, with plain password

Flags: needinfo?(cubasuras)

Ok, thanks for the info. Looks like all of your pop.free.fr accounts are probably using APOP authentication (unless the server supports CRAM-MD5, see bug 1897045 comment 1). I'll try to duplicate your issue on my local dovecot server using APOP.
I don't see the problem when all the pop3 servers are using normal password or oauth2 password with TLS.

In the error console, for "Current auth method:", I see:

  • XOAUTH2 for pop.mail.yahoo.com and outlook.office365.com
  • APOP for pop.free.fr
  • PLAIN for pop.easyname.com

Ok, I think I have duplicated the problem. I go into password manager and store the wrong password for my dovecot account using apop. I restart TB so stored password is used and I see no prompt for the correct dovecot/apop password. Also, all other pop3 accounts are unresponsive when I manually request check for new messages. After a while (maybe a bit over a minute) I get a dovecot server timeout pop-up from TB. Then I can get new messages from the other pop3 accounts. Trying again to get new mail from dovecot/apop, still see no prompt for correct password and other accounts are unresponsive. On TB restart I have the same problem and there is no prompt for dovecot/apop password when checking for new messages on that account.

The problem is that apop never prompts for a new password when a bad one is sent or stored and sent. This appears to be a simple change that was overlooked when apop was included in the JS pop3 re-write (Bug 1787766). This fixes it:

diff --git a/mailnews/local/src/Pop3Client.sys.mjs b/mailnews/local/src/Pop3Client.sys.mjs
--- a/mailnews/local/src/Pop3Client.sys.mjs
+++ b/mailnews/local/src/Pop3Client.sys.mjs
@@ -847,19 +847,19 @@ export class Pop3Client {
     }
 
     if (this._verifyLogon) {
       this.runningUri.errorCode = "pop3PasswordFailed";
       this._actionDone(Cr.NS_ERROR_FAILURE);
       return;
     }
 
     if (
-      ["USERPASS", "PLAIN", "LOGIN", "CRAM-MD5"].includes(
+      ["USERPASS", "PLAIN", "LOGIN", "CRAM-MD5", "APOP"].includes(
         this._currentAuthMethod
       )
     ) {
       this._actionError(
         "pop3PasswordFailed",
         [this._server.username],
         res.statusText
       );
Assignee: nobody → gds
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → 1787766
Summary: POP3 mechanism silently stops after first bad password → POP3 mechanism silently stops after first bad APOP password and doesn't prompt for corrected password

Miguel, Right now I'm making a "try" build of the current daily version for linux with the comment 6 patch applied. The try build is here:
https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=d12f23a91c46423535a659f29f6410f88e06ad39
When this finishes you should be able to click on on the green "B" next to Linux x64 opt and then down below click on "Artifacts and Debugging" tab and you should find the file to download. For linux it is target.tar.bz2. Just unzip (e.g., in ~) and run thunderbird executable inside the tree. This won't affect your current TB installation.
If you could verify that this fixes the problem by running the build it would be most helpful.

Thank you gene smith.
I just tried your build.
It is better (the dialogs appear and the whole process is not stopped anymore), but there are still some problems.

What I did:

  1. I deleted the password for the APOP account (pop.free.fr, SSL/TLR with encrypted password)

  2. I clicked on "Get Messages" from the main menu
    PROBLEM: the account without a password is not retrieved (it does not appear in Error Console, with logging enabled) and no dialog is shown to request a new password; but OK, the other accounts are normally retrieved
    In one try, after maybe 1 minute, the dialog appeared, and kept appearing periodically (maybe 1 minute) even though I clicked on "Cancel"
    In other tries, the dialog would not appear at all, even after a delay.

  3. I clicked on "Get Messages" from the right-click menu for the account with no password
    OK: the expected dialog appears (login error: retry/cancel/enter password)
    OK: "Cancel" closes the dialog

  4. in the dialog, I entered a wrong password
    PROBLEM: the expected dialog (login error: retry/cancel/enter password) appears twice, as stacked dialogs (one is active, the other one is blocked)
    To cancel, I need to click twice on "Cancel" (once on each dialog)
    To enter a new password, I need to click twice on "Enter new password". The prompt for the new password is displayed only after the 2nd click. Sometimes, one more "login error" dialog appears and blocks the prompt for the new password, and must be closed for actually entering the new password

  5. I entered the correct password
    OK, it works (it already worked)

Note: although you said "This won't affect your current TB installation", I could not revert to the normal Thunderbird after the test, and got a message "You are launching an old version". I had to launch the normal Thunderbird with flag --allow-downgrade

Status: NEW → ASSIGNED
status-thunderbird133: --- → affected
status-thunderbird_esr128: --- → affected
Keywords: checkin-needed-tb
Target Milestone: --- → 134 Branch

Pushed by john@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/9fe25bb1b544
Allow APOP authenication for POP3 to prompt for corrected password. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

(In reply to Miguel J from comment #10)

Note: although you said "This won't affect your current TB installation", I could not revert to the normal Thunderbird after the test, and got a message "You are launching an old version". I had to launch the normal Thunderbird with flag --allow-downgrade

Sorry about that. I always run with --allow-downgrade and forgot to mention that it is a possibility when you run a newer version (e.g., daily) and then go back to ESR on the same profile. I've never seen a problem with that option and I jump around my running version all the time.

Also, thanks for the problem description in comment 9. Magnus went ahead the approved the patch and closed this bug, so maybe you should make a new bug report containing that information.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: