Closed Bug 1978361 Opened 10 months ago Closed 8 months ago

Migrating from 128.x > 140.x breaks email access for @att.net email, no longer downloads new messages to Inbox

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 140
Type:
defect

Tracking

(thunderbird_esr140+ fixed)

Status:
RESOLVED FIXED
Milestone:
145 Branch
Tracking Flags:
Tracking Status
thunderbird_esr140 + fixed

People

(Reporter: thee.chicago.wolf, Assigned: tobyp)

References

(Blocks 1 open bug)

Details

(Whiteboard: [datalossy])

Attachments

(1 file)

Bug 1978361 - Add support for att.net Oauth2. r=!arschmitz,#thunderbird-reviewers
48 bytes, text/x-phabricator-request
corey
: approval-comm-esr140+
Details | Review

My mother reached out to me stating her email stopped downloading on July 16th. Prior to that I had her on 128ESR. In anticipation of 140, I had previously tried to update her to 137+ but TB seemed "broken" for lack of a better word. I decided to let 128ESR update to 140 when it was finally the new ESR.

When I remoted into her machine to take a look, I saw she was at 140.0.1. I sent a few test messages and clicked Get Messages but they didn't come through. On it's face, 140.0.1 seemed operational and I didn't see anything in Status Bar indicating any issues or errors. My first instinct was AT&T's abominable "Security Key" method of doing OAuth2 but that wasn't the case. How do I know? I generated a new Security Key via my mom's webmail account and then deleted her saved email password. After restarting TB, I was waiting for it to prompt me for a password but it never did.

I then downloaded 128.12.0ESR, uninstalled 140.0.1, re-installed 128.12.0ESR and launched TB with --allow-downgrade. It launched fine and then prompted for a password. I input the Security Key password but it rejected it. Tried once more, rejected again. I then input the regular email password and it accepted it and gave me the windows asking to allow TB to manage her account which I did. After this, all email since the 16th began spooling to the Inbox along with test messages I sent.

I then did another upgrade to 140.0.1 thinking it was just the old Security Key that needed to be wiped and that her regular password was now sufficient. Still, it no longer would spool new messages I just sent after updating for a 2nd time to 140.0.1. Once again, reverting back to 128.12.0ESR with --allow-downgrade caused the newer test messages to spool to the Inbox.

I didn't quite know if this belonged in the Account Manager section or not. And if any STR are needed, it would be these:

STR:

  1. Have at @att.net account that's currently working with 128.x ESR that was previously set up for IMAP / OAuth2 via Security Key method (and was configured via Security Key method since the TB 102.x > 115.x days)
  2. Update to 140.x

Actual Result:

  1. New messages are not pulled from Inbox

Expected Results:

  1. New messages are pulled from Inbox
Summary: Migrating from 128.x > 140.x breaks email access for @att.net emai, no longer downloads new messages to Inbox → Migrating from 128.x > 140.x breaks email access for @att.net email, no longer downloads new messages to Inbox
Blocks: tb140found

Thanks for reporting this Arthur. Are you able to reproduce this behaviour in a new profile? [https://support.mozilla.org/en-US/kb/using-multiple-profiles]

I'm curious to understand whether the problem is related to a cached token or some issue related to the existing profile. Would it be possible for you to test?

Flags: needinfo?(thee.chicago.wolf)

(In reply to Toby Pilling [:tobyp] from comment #1)

Thanks for reporting this Arthur. Are you able to reproduce this behaviour in a new profile? [https://support.mozilla.org/en-US/kb/using-multiple-profiles]

I'm curious to understand whether the problem is related to a cached token or some issue related to the existing profile. Would it be possible for you to test?

I can test with Portable TB 140.0.1 if that would help. I'd have to get my Mom's ok to do the testing away from her production PC. How would I be able to test? The behavior does seem indicative of it caching something somewhere as blowing out the password should have forced a password prompt to happen the 1st time around.

Flags: needinfo?(thee.chicago.wolf)

Are there any errors in the error console?

James, Matt any feedback to comment 0 ?

Flags: needinfo?(unicorn.consulting)
Flags: needinfo?(jamesmknott)

I can test with Portable TB 140.0.1 if that would help. I'd have to get my Mom's ok to do the testing away from her production PC. How would I be able to test? The behavior does seem indicative of it caching something somewhere as blowing out the password should have forced a password prompt to happen the 1st time around.

You could also test this on your mom's machine by starting Thunderbird with "-P" - it is possible to adjust the shortcut or simply run from a command line as described in the link above in comment 1. After you have the email account configured and authenticated within a new profile running ESR140.0.1, I'd be interested to see if you are able to sync emails...

Might take me a bit to set up a test environment here in my office. Hang tight.

re: "James... any feedback...?"

While I do occasionally see a Thunderbird related problem every few months (generally with the AT&T, but recently with GMAIL), they all seem to resolve themselves within a few hours or a day at most, and this has been true for the last two years -- so, life is good. (I have no idea if such problems are Thunderbird or ISP related or both).

The following is simply FYI should it help you. Let me know if you need more info:

I am on Windows-11 Home 24H2 with all Windows update patches and on Thunderbird 140.0.1 (64bit) (installed, not portable). I migrated from a Windows-10 machine to a new Windows-11 machine, by copying the profile folder. (I may??? have setup my AT&T accounts "from scratch" and then manually copied profile folders to the new machine -- not sure). My (not so...) good records did not indicate that I did anything to re-install the prior work-arounds, but perhaps they came forward with the profile?? So I'm not POSITIVE that they are active on my Windows-11 configuration. Those workarounds are related to:

  • Thunderbird mail.server.default.fetch_by_chunks - set to false -- this was a wonderful solution to my problem.
  • Thunderbird fix to wrap annoyingly long lines in a few (rare) incoming emails.

I use POP3 for two AT&T.net accounts and IMAP for one AT&T account -- and my Account Settings say connection: SSL/TLS authentication: "normal password" for all three accounts. I know that I originally setup via the confusing/difficult OAUTH, and I presume that provided me with a "Secure mail key" that according to my notes I re-used this same exact key from my Windows-10 machine on the new Windows-11 installation.

My apologies if the above FYI stuff is gibberish, but I barely know what I'm doing when it comes to AT&T or Thunderbird email setup, as they don't work intuitively for me.

(I greatly appreciate the past assistance and work by the Thunderbird team and volunteers!!)

Flags: needinfo?(jamesmknott)

I am seeing the same problem:

I upgraded to Thunderbird 140.0.1esr (64 bit) and 1 of the 4 email accounts has stopped syncing.

The one that stopped syncing is AT&T / Yahoo email via imap inbound and smtp outbound. It was working on the 128 release but as soon as I updated it stopped syncing.

I can still get email to/from the other 3 accounts, it still works on my phone and on my laptop with Thunderbird 128.12.0esr (32-bit) it is still working OK.

I have double checked account info and passwords and no issues that I can see.

No errors show up in the developer console.

(In reply to jamesmknott from comment #7)

re: "James... any feedback...?"

While I do occasionally see a Thunderbird related problem every few months (generally with the AT&T, but recently with GMAIL), they all seem to resolve themselves within a few hours or a day at most, and this has been true for the last two years -- so, life is good. (I have no idea if such problems are Thunderbird or ISP related or both).

The following is simply FYI should it help you. Let me know if you need more info:

I am on Windows-11 Home 24H2 with all Windows update patches and on Thunderbird 140.0.1 (64bit) (installed, not portable). I migrated from a Windows-10 machine to a new Windows-11 machine, by copying the profile folder. (I may??? have setup my AT&T accounts "from scratch" and then manually copied profile folders to the new machine -- not sure). My (not so...) good records did not indicate that I did anything to re-install the prior work-arounds, but perhaps they came forward with the profile?? So I'm not POSITIVE that they are active on my Windows-11 configuration. Those workarounds are related to:

  • Thunderbird mail.server.default.fetch_by_chunks - set to false -- this was a wonderful solution to my problem.
  • Thunderbird fix to wrap annoyingly long lines in a few (rare) incoming emails.

I use POP3 for two AT&T.net accounts and IMAP for one AT&T account -- and my Account Settings say connection: SSL/TLS authentication: "normal password" for all three accounts. I know that I originally setup via the confusing/difficult OAUTH, and I presume that provided me with a "Secure mail key" that according to my notes I re-used this same exact key from my Windows-10 machine on the new Windows-11 installation.

My apologies if the above FYI stuff is gibberish, but I barely know what I'm doing when it comes to AT&T or Thunderbird email setup, as they don't work intuitively for me.

(I greatly appreciate the past assistance and work by the Thunderbird team and volunteers!!)

Additional info: Should you wish to see if mail.server.default.fetch_by_chunks has ANY correlation/solution to this problem (and I'm not suggesting that it does), then click on Tools > Settings > Config editor (at bottom). Then scroll (or search for "chunks") down to mail.server.default.fetch_by_chunks and set to false (and then restart Thunderbird). FYI.

Also, sometimes in the past I will have ONE MESSAGE that for unknown reasons hangs-up syncing. So perhaps you could go to AT&T webmail, and move one/some messages out of INBOX and to somewhere else (temporarily) and see if that helps.
Of course, these ideas may not help you in the slightest, but both are easy to try if desired.

(In reply to josephd.henderson from comment #8)

I am seeing the same problem:

I upgraded to Thunderbird 140.0.1esr (64 bit) and 1 of the 4 email accounts has stopped syncing.

The one that stopped syncing is AT&T / Yahoo email via imap inbound and smtp outbound. It was working on the 128 release but as soon as I updated it stopped syncing.

I can still get email to/from the other 3 accounts, it still works on my phone and on my laptop with Thunderbird 128.12.0esr (32-bit) it is still working OK.

I have double checked account info and passwords and no issues that I can see.

No errors show up in the developer console.

Thanks for confirming. I thought I'd munged up my Mom's profile. Devs, I'm going to take a stab at it tomorrow but what was the command to do super verbose logging? thunderbird.exe | level=5 > output.txt or some such thing? There's got to be some gremlin to be outed but I surmise it'll take some coaxing.

Thanks Arthur,
You can open a command prompt (not powershell) and use the following:

set MOZ_LOG=timestamp,IMAP:5
set MOZ_LOG_FILE=output.txt
"C:\Program Files\Thunderbird Daily\thunderbird.exe" -no-remote -profile "C:\Users\<USER>\AppData\Roaming\Thunderbird\Profiles\<PROFILE>"

There is more detail here:
https://wiki.mozilla.org/MailNews:Logging?_gl=1*1v8k5z8*_ga*MTI5ODQ1ODk5OS4xNzE1NjA1NTQz*_ga_2VC139B3XV*czE3NTMyMTM4Mzgkbzc0JGcwJHQxNzUzMjE0MjY3JGo2MCRsMCRoMA..#Gecko_Logging

I am seeing this currently with a brand new att account setup fresh in 140 so this is not related to upgrade or caching. I can add the account using the security key and it adds the account fine but never fetches mail and seems to never even attempt to fetch mail.

It also fails to send mail. It acts like its successful and moves the message to sent but the message is never recieved by the other account.

Update: Thunderbird 128 / 140 both force pop by default once I forced imap with the correct settings with a new account, everything works as expected.

Arthur / Joseph can you both post and compare your imap to those suggested here https://learn.microsoft.com/en-us/answers/questions/4718793/outlook-and-att-net-imap-wont-work?forum=outlook_com-all&referrer=answers and update to those if they don't match and post back with how that works for you?

Mine is correct:
Server Type: IMAP Mail Server
Server Name: imap.mail.att.net Port: 993

Connection Security: SSL/TLS
Authentication Method: OAuth2

Also updated to 140.1.0esr (64 bit) but no change on AT&T email sync problem.

Same for me as well.

Thank you both this does indicate that this is likely an upgrade related issue since a new account and new TB does not seem to reproduce the issue. Ill be working on trying to reproduce this via the upgrade path.

Thanks Joseph and Arthur,
I am wondering if the change in user agent is causing the Oauth token to expire. Could you possibly add a custom preference via the config editor:
https://support.mozilla.org/en-US/kb/config-editor

The new STRING preference should be called general.useragent.override and once added, the value can be set to Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Thunderbird/128.1.0

After restarting Thunderbird, does that make any difference?

Alex has successfully set up a new att.net account and after creating a new "secure mail key", he was able to set up the account with basic authentication using the "secure mail key" instead of the password. Not using Oauth. Have you tried using normal password as mentioned in this article?
https://support.mozilla.org/gl/questions/1335090

Toby my actual auth method is still oauth2, using the secure mail key as the password.

I've had a little breakthrough methinks. I did this on my own home PC but it's now at TB 141.0 so don't know if that makes any difference. I set up my Mom's @att.net account from scratch this way using the "+ New Account" button

STR (requires the Security Key / Secure Mail Key):

  1. Fill in Name and Email address, click Continue.
  2. It only finds POP3 as a choice, so on the "Configuration found in Mozilla ISPDB" screen, click Edit Configuration
  3. Incoming server settings: Protocol: IMAP, Hostname: imap.mail.att.net, Port: 993, Connection Security: SSL/TLS, Authentication Method: Autodetect Password, Username: <full @att.net email address>, click Continue
  4. Outgoing server settings: Protocol: SMTP, Hostname: smtp.mail.att.net, Port: 465, Connection Security: SSL/TLS, Authentication method: Autodetect Password, Username: <full @att.net email address>, click Test, click Continue
  5. Now, enter your Security Key / Secure Mail Key and click Continue
  6. If presented with the "Thunderbird was unable to find connected services", click Continue
  7. Click Finish

This is where it gets a bit murky. The resulting working account's Incoming Server settings show Authentication Method as Normal Password. Same for Outgoing Server SMTP: Authentication Method = Normal Password. Now, if you try to repeat the above STR steps #3 and #4 and use Authentication Method: Normal Password, account creation WILL fail. I tried it twice to make sure I wasn't going insane.

Seems that needing Authentication Method: Autodetect during manual IMAP setup is required. I wonder what would happen for those having the issue to change their existing Authentication Method from OAuth2 to Normal Password? CAVEAT: Back up your profile first! I am not responsible if it busts a working profile.

(In reply to Alex Schmitz from comment #16)

Thank you both this does indicate that this is likely an upgrade related issue since a new account and new TB does not seem to reproduce the issue. Ill be working on trying to reproduce this via the upgrade path.

Check my comment below.

Now, if you try to repeat the above STR steps #3 and #4 and use Authentication Method: Normal Password, account creation WILL fail. I tried it twice to make sure I wasn't going insane.

Seems that needing Authentication Method: Autodetect during manual IMAP setup is required.

I CANNOT confirm this i did this doing normal password NOT autodetect

(In reply to Alex Schmitz from comment #21)

Now, if you try to repeat the above STR steps #3 and #4 and use Authentication Method: Normal Password, account creation WILL fail. I tried it twice to make sure I wasn't going insane.

Seems that needing Authentication Method: Autodetect during manual IMAP setup is required.

I CANNOT confirm this i did this doing normal password NOT autodetect

So weird, I let it choose Normal Password and it DID work this time. I just tested twice. I swear I tried this two times previously and it failed. In any event Alex, Authentication Method: Normal Password does seem to work.

(In reply to Toby Pilling [:tobyp] from comment #11)

Thanks Arthur,
You can open a command prompt (not powershell) and use the following:

set MOZ_LOG=timestamp,IMAP:5
set MOZ_LOG_FILE=output.txt
"C:\Program Files\Thunderbird Daily\thunderbird.exe" -no-remote -profile "C:\Users\<USER>\AppData\Roaming\Thunderbird\Profiles\<PROFILE>"

There is more detail here:
https://wiki.mozilla.org/MailNews:Logging?_gl=1*1v8k5z8*_ga*MTI5ODQ1ODk5OS4xNzE1NjA1NTQz*_ga_2VC139B3XV*czE3NTMyMTM4Mzgkbzc0JGcwJHQxNzUzMjE0MjY3JGo2MCRsMCRoMA..#Gecko_Logging

Tried to get some logging output with the above but the output.txt file has 0KB. Double checked I'm doing it right and event went to the provided link for reference but it's still not outputting.

I have also now tested the upgrade path and everything worked as expected so a basic upgrade from 128esr -> 140esr will not replicate this

Arthur and Joseph apologize if i missed that one of you tried this already but have you tried starting in troublesooting mode app menu -> help -> troubleshooting mode and see if the problem still happens?

Trying to catch up so a summary to make sure I have it correct:

It appears that initially Alex set up an account and it failed but turned out it was set to POP. When changed to imap it worked. We checked our imap settings and they were OK.

Arthur set up the account on his pc and when he chose normal password it worked.

Arthur tried the logging but it failed with a 0 byte file (I also tried this and get a 0 byte file too).

I also tested it in troubleshooting mode but no change.

I'll back up my profile and try changing it to normal password and see if that helps.

Changing it to normal password fails with a retry, enter new password or cancel button options. Double checked that I am using the correct password (copy pasted so should be no typos) also fails.

Looked at changing it back to OAUTH2 but don't see that option in the dropdown. It shows Normal password, Encrypted password, Kerberos / GSSAPI, NTLM and TLS Certificate.

Can anyone point me to a doc with info on OAuth2 setup for Thunderbird? So far everything I find says to pick it from the dropdown.

(In reply to Joseph "Butch" Henderson from comment #26)

Changing it to normal password fails with a retry, enter new password or cancel button options. Double checked that I am using the correct password (copy pasted so should be no typos) also fails.

Looked at changing it back to OAUTH2 but don't see that option in the dropdown. It shows Normal password, Encrypted password, Kerberos / GSSAPI, NTLM and TLS Certificate.

Can anyone point me to a doc with info on OAuth2 setup for Thunderbird? So far everything I find says to pick it from the dropdown.

That's what I was worried about (OAuth2 disappearing as an option after switching to Normal Password and it not showing in the drop down menu).

(In reply to Joseph "Butch" Henderson from comment #26)

Changing it to normal password fails with a retry, enter new password or cancel button options. Double checked that I am using the correct password (copy pasted so should be no typos) also fails.

Looked at changing it back to OAUTH2 but don't see that option in the dropdown. It shows Normal password, Encrypted password, Kerberos / GSSAPI, NTLM and TLS Certificate.

Can anyone point me to a doc with info on OAuth2 setup for Thunderbird? So far everything I find says to pick it from the dropdown.

Joseph, are you using the secure mail key as the password? Or the actual password?

(In reply to Toby Pilling [:tobyp] from comment #28)

(In reply to Joseph "Butch" Henderson from comment #26)

Changing it to normal password fails with a retry, enter new password or cancel button options. Double checked that I am using the correct password (copy pasted so should be no typos) also fails.

Looked at changing it back to OAUTH2 but don't see that option in the dropdown. It shows Normal password, Encrypted password, Kerberos / GSSAPI, NTLM and TLS Certificate.

Can anyone point me to a doc with info on OAuth2 setup for Thunderbird? So far everything I find says to pick it from the dropdown.

Joseph, are you using the secure mail key as the password? Or the actual password?

I was using the password - but the more I think of it the more I think I would need to delete the account and recreate it. I'll try that next but have an errand to run.

Hi guys,

I wanted to update everyone with what I did on my Mom's PC that worked. She was on 128.12.0. I updated her to 128.13.0. Then to 140.1.0 ESR.

  1. I changed Auth method from OAuth2 > Normal Password (for both Inbound and Outbound AT&T servers)
  2. Restarted TB and it prompted me for a password
  3. I used the Security Key / Secure Mail Key password and chose to let TB save the password (for inbound and outbound server)

All fixed. That was it. Makes me wonder if AT&T silently ditched strict OAuth2 method and is just using the Security Key / Secure Mail Key password as the "Normal Password" now?

I did catch something in Error Console after I switched from OAuth2 to Normal Password but it might be a red herring. This was throw when I was trying to send a test email from/to her own account.

mailnews.smtp: Authentication failed: Socket closed. SmtpClient.sys.mjs:762:17
_onAuthFailed resource:///modules/SmtpClient.sys.mjs:762
_onClose resource:///modules/SmtpClient.sys.mjs:555
uncaught exception: initFromOutgoing failed, hostname: smtp.mail.att.net

(In reply to Joseph "Butch" Henderson from comment #29)

(In reply to Toby Pilling [:tobyp] from comment #28)

(In reply to Joseph "Butch" Henderson from comment #26)

Changing it to normal password fails with a retry, enter new password or cancel button options. Double checked that I am using the correct password (copy pasted so should be no typos) also fails.

Looked at changing it back to OAUTH2 but don't see that option in the dropdown. It shows Normal password, Encrypted password, Kerberos / GSSAPI, NTLM and TLS Certificate.

Can anyone point me to a doc with info on OAuth2 setup for Thunderbird? So far everything I find says to pick it from the dropdown.

Joseph, are you using the secure mail key as the password? Or the actual password?

I was using the password - but the more I think of it the more I think I would need to delete the account and recreate it. I'll try that next but have an errand to run.

Do check on what I did in comment 30. Worked for me.

(In reply to Arthur K. (he/him) from comment #31)

Do check on what I did in comment 30. Worked for me.

I tried that but no luck. I get an error that the password is incorrect (yes I am using the correct password).

I restored the backup and will try it again. If that doesn't work I'll look at reverting to the 128 version (will need info on best way to do that).

Joseph, have you tried creating a new secure mail key and using that instead of your password?
https://www.att.com/support/article/email-support/KM1240308

I also sense that things may have changed at att.net in terms of what they support - but I also wonder whether the ISPDB configuration (which hasn't changed in several years and seems to be missing IMAP) may be playing a part in this: https://github.com/thunderbird/autoconfig/blob/master/ispdb/att.net.xml

(In reply to Toby Pilling [:tobyp] from comment #33)

Joseph, have you tried creating a new secure mail key and using that instead of your password?
https://www.att.com/support/article/email-support/KM1240308

That's what I'm using on my laptop and since it still works I don't see a reason to create a new one.

I also sense that things may have changed at att.net in terms of what they support - but I also wonder whether the ISPDB configuration (which hasn't changed in several years and seems to be missing IMAP) may be playing a part in this: https://github.com/thunderbird/autoconfig/blob/master/ispdb/att.net.xml

Yeah my recollection is it always adds it as POP and I have to go back and reconfigure it as imap.

(In reply to Joseph "Butch" Henderson from comment #34)

(In reply to Toby Pilling [:tobyp] from comment #33)

Joseph, have you tried creating a new secure mail key and using that instead of your password?
https://www.att.com/support/article/email-support/KM1240308

That's what I'm using on my laptop and since it still works I don't see a reason to create a new one.

I also sense that things may have changed at att.net in terms of what they support - but I also wonder whether the ISPDB configuration (which hasn't changed in several years and seems to be missing IMAP) may be playing a part in this: https://github.com/thunderbird/autoconfig/blob/master/ispdb/att.net.xml

Yeah my recollection is it always adds it as POP and I have to go back and reconfigure it as imap.

Joseph,

Since myself or my Mom didn't save or write down her 1st secure key when I first set up OAuth2 during the TB102.x ESR days, I wound up creating a new one and used that for the password. It let's you have more than one key---and delete if no longer needed---if that makes any difference to you while we're trying to nail down the cause.

(In reply to Arthur K. (he/him) from comment #35)

Since myself or my Mom didn't save or write down her 1st secure key when I first set up OAuth2 during the TB102.x ESR days, I wound up creating a new one and used that for the password. It let's you have more than one key---and delete if no longer needed---if that makes any difference to you while we're trying to nail down the cause.

Thanks - I'll see about creating another one.

Well couldn't log into the AT&T page and the error message was not helpful (indicated they were having an issue not me).

Decided to just downgrade back to 128 and load profile from laptop. It's working OK now

If y'all come up with a fix I can upgrade and test it.

I see a number of odd issues here.

  1. There has never been an approved OAuth for ATT accounts. Hence, I filed bug 1698316 four years ago.
  2. The user can not select the OAuth "secret" to be used to self select an OAuth provider that Thunderbird has but does not offer for the domain provided. Hence, I filled bug 1591782 six years ago.

For these reasons, I am struggling with most of the content in this bug. Fundamentally, you are talking about authentication methods that are simply not available to ATT customers according to the instructions provided by ATT for the setting up of a mail client.
There is, or was ,a way to use OAuth with all yahoo contracted providers.by using the mail.yahoo.com servers that Thunderbird offers OAuth using the Yahoo OAuth secret and choosing the OAuth option Thunderbird offers for Yahoo.

However, there are limitations.
It relies on the user's email address being registered with yahoo as a valid user. I do not know if this is still the case for all ATT customers. It used to be.
You must enable, DNS over HTTPS in options or choose custom DNS servers so you no longer use the poisoned DNS of the ISP which simply redirects some domains to their own "hosted" offering.
You also need to close the manual setup/ account settings page/tab to force Thunderbird to refresh the offered authentication methods to match the selected server name. As Thunderbird is incapable of refreshing the list items based on the server name change until the entire construct is reloaded the visible pane needs to go away. You only really have to change from server settings to any of the other options, but it does make any sort of batch updating of account settings a mammoth task instead of just a few clicks.

Some other decade old facts.
The only password you can use in a mail account with "normal password" is an ATT mailkey. Use of your ATT password will fail, and will fail by ATT/Yahoo design. It is not an accident or a bug
Using OAuth and Yahoo server names never uses the mailkey as the authentication occurs over HTTPS not one of the mail protocols. The ATT password used on their website is the one used in all circumstances. By the nature of OAuth, the ATT password is not stored in Thunderbird only the OAuth token is stored in the password manager. The reality is the OAuth authentication pages are web pages and served by Yahoo, so Thunderbird never actually has the ATT password in this scenario to store, only the resulting token from a successful authentication and grant of permissions is actually returned to Thunderbird.

Flags: needinfo?(unicorn.consulting)
Component: General → Security

See also How to restore inbox if you have att.com

Ben, would you happen to know why the att.net ISPDB entry doesn't list IMAP? It seems like you updated that most recently - but not sure if you would have the earlier history.

Flags: needinfo?(ben.bucksch)

(In reply to Ed from comment #39)

See also How to restore inbox if you have att.com

Shouldn't this be att.net and not att.com?

Sorry this seemed confusing on it's face. I see that the .com points to the portal. No wonder AT&T's stuff is all sorts of bubble gum and duct tape.

Thank you @Matt for the insight, @Ed for the helpful link and @Arthur K. (he/him) for your perseverance and explanations.

@Joseph "Butch" Henderson, if you would like to upgrade to a current version of Thunderbird, it seems that having a recent secure mail key to use as a password will work - and the instructions linked by Ed in comment 39 seem very helpful.

Marking as resolved because it seems that AT&T has updated their security settings between ER128 and ESR140. We have a solution if users follow instructions to set up a new secure mail key and use that.

We are listed here as an application that does not support their OAuth infrastructure.

From a recent article from AT&T:

Avoid email issues

Recent security upgrades may mean you have to update your settings. Learn more about the security upgrade

Is your email program or app affected? Create a secure mail key so you can keep getting your AT&T email.
Last updated: March 12, 2025

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → WORKSFORME

:tobyp and matt et al we should document comment 43 in SUMO somewhere right?

Flags: needinfo?(unicorn.consulting)
Flags: needinfo?(toby)
Flags: needinfo?(toby)
See Also: → https://support.mozilla.org/en-US/questions/1525523

I've created github knowledge base issue for a SUMO KB article: NEW ARTICLE: Thunderbird and AT&T (using Yahoo's email backend) #96 <-- If I got anything wrong about ATT fka AT&T's settings, please comment in issue 96

(In reply to Toby Pilling [:tobyp] from comment #40)

Ben, would you happen to know why the att.net ISPDB entry doesn't list IMAP? It seems like you updated that most recently - but not sure if you would have the earlier history.

The most recent edits were formatting only. The config itself is likely 10+ years old. However, IIRC, am the author of this config (and of most others).

If I didn't add an IMAP server back then, then because there wasn't any. If there is one now, it should be added.

Flags: needinfo?(ben.bucksch)

(In reply to Roland Tanglao :rolandtb :adobo :sinigang :mapotofu previous tour of duty profile: https://bugzilla.mozilla.org/user_profile?login=rtanglao%40mozilla.com from comment #44)

:tobyp and matt et al we should document comment 43 in SUMO somewhere right?

No, we need to fix Thunderbird so ATT just works using oauth. It is approaching 10 years and I think it is time to bite the bullet and invest in fixing it. It is not really all that difficult. Simply add ATT to the yahoo scope here https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.sys.mjs

That does present some arguments that ATT is not really Yahoo. But until something more permanent can be done it would be a quick fix to a significant pain point. Implementing dynnamic oauth is probably the better approach, but nothing like as fast to implement.

But no one appears to be addressing the issue of why no IMAP in the ispdb is even relevant here. Users immediately try and fix everything by removing and adding it again. Be it a broken account or a problematic Thunderbird interface issue. Some careful interface decisions need to be made to discourage this going forward. If it is broken, adding it again is unlikely to fix anything, it can however lose data and create significant support issues from a user base that expects someone online to just flick a switch and fix whatever damage they have done or restore their data from an online archive. Personal responsibility for data security and backup is dead.

The support situation is now being complicated because the support issue raised by the user is adding an account failure, not whatever the real problem is. With the appalling lack of information users provide with their support request, days can be wasted just establishing the issue is not adding an account at all. There was a preexisting issue that is now not understood and has to be worked through from a new account perspective.

Flags: needinfo?(unicorn.consulting)

Hi Matt,
Could you let me know what you meant by this?

But no one appears to be addressing the issue of why no IMAP in the ispdb is even relevant here.

Are you suggesting that we have multiple issues being reported and should fix both/all?

We did fix the ispdb issue in this PR:
https://github.com/thunderbird/autoconfig/pull/143

Flags: needinfo?(unicorn.consulting)

We plan to enable Oauth2 for att.net - but won't update the autoconfig ispdb settings for att.net to add <authentication>OAuth2</authentication> until this patch is available to the majority of our users - otherwise Oauth2 will be prompted and no settings will be found.

Is it worth tweaking the title of this bug to something more accurate like "Migrating from 128.x > 140.x breaks existing OAuth2 email access for @att.net email, no longer downloads new messages to Inbox" or "Migrating from 128.x > 140.x breaks an existing OAuth2 email configuration for @att.net email, no longer downloads new messages to Inbox" or something along the same line?

Change of plan. It seems that autoconfig ispdb settings can be updated to support <authentication>OAuth2</authentication> without impacting builds that don't have local Oauth configuration.

This can be added safely and can ride the train.

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Assignee: nobody → toby
Attachment #9506214 - Attachment description: WIP: Bug 1978361 - Add support for att.net Oauth2. r=#thunderbird-reviewers → Bug 1978361 - Add support for att.net Oauth2. r=#thunderbird-reviewers
Attachment #9506214 - Attachment description: Bug 1978361 - Add support for att.net Oauth2. r=#thunderbird-reviewers → Bug 1978361 - Add support for att.net Oauth2. r=!arschmitz,#thunderbird-reviewers

As a more robust fix to this situation, we are in the process of enabling Oauth for att.net as suggested by Matt in comment 47

Unfortunately we've hit an edge case that is a bit trickier to solve, so we're going to land the fix and tackle the issue at another time, documenting clearly what to do to avoid the problem for now.

Roland, once this patch lands, we will have the ability for an att.net account to be set up via Oauth - starting with Daily then eventually working it's way to ESR. If users take advantage of this option, they may run into a problem if they:

1.) first set up an att.net (or currently.com) account using Oauth
2.) then try to set up a yahoo.com or myyahoo.com account using Oauth

The Yahoo Oauth system uses cookies and it seems to remember the att.net Oauth URL so if you try to add a yahoo.com account after an att.net account, it will not work.

To avoid this problem, a user can set the pref mailnews.oauth.usePrivateBrowser to true which will avoid the cookie issue and then both accounts can be set up.

I'm hoping that some of our documentation can be updated to reflect this - perhaps a callout for users who have both an att.net and a yahoo.com account to advise they simply set the pref to true.

Flags: needinfo?(roland)

Is it possible to display an account warning window alerting the user if they do account setup in the order you noted? Or perhaps sniff out if they have one or the other accounts existing and warn that it might gum things up?

Thanks Arthur,
While we could add logic to handle this specific att.net/yahoo.com case, it would only address one scenario without solving the underlying issue. The same problem can occur with any white-label email provider, and Yahoo has recently expanded this approach to other domains such as Xfinity, Comcast, and SBCGlobal so we would need to be constantly adding exceptions.

What’s really needed is a more general solution that can handle these situations across providers, rather than applying one-off fixes for each new domain conflict.

We have begun discussions to evaluate the partitioning of requests within their own container as Geoff pointed out in the patch discussion at code level, which pointed at a similar approach used for CardDAV
https://searchfox.org/comm-central/rev/9f52929439ab1c3441306c679e7ad0a4f1c834cf/mailnews/addrbook/modules/CardDAVUtils.sys.mjs#54-72

We can add this as a follow-up bug.

See Also: → 1989083
Keywords: checkin-needed-tb

Pushed by vineet@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/3d0561b8816d
Add support for att.net Oauth2. r=arschmitz

Status: REOPENED → RESOLVED
Closed: 9 months ago8 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

(In reply to Toby Pilling [:tobyp] from comment #53)

As a more robust fix to this situation, we are in the process of enabling Oauth for att.net as suggested by Matt in comment 47

Unfortunately we've hit an edge case that is a bit trickier to solve, so we're going to land the fix and tackle the issue at another time, documenting clearly what to do to avoid the problem for now.

Roland, once this patch lands, we will have the ability for an att.net account to be set up via Oauth - starting with Daily then eventually working it's way to ESR. If users take advantage of this option, they may run into a problem if they:

1.) first set up an att.net (or currently.com) account using Oauth
2.) then try to set up a yahoo.com or myyahoo.com account using Oauth

The Yahoo Oauth system uses cookies and it seems to remember the att.net Oauth URL so if you try to add a yahoo.com account after an att.net account, it will not work.

To avoid this problem, a user can set the pref mailnews.oauth.usePrivateBrowser to true which will avoid the cookie issue and then both accounts can be set up.

I'm hoping that some of our documentation can be updated to reflect this - perhaps a callout for users who have both an att.net and a yahoo.com account to advise they simply set the pref to true.

i should be able to document something Toby :-)
Added comment 53 to our github SUMO KB issue: NEW ARTICLE: Thunderbird and ATT fka AT&T (using Yahoo's email backend) #96

Flags: needinfo?(roland)
Target Milestone: --- → 145 Branch
Flags: needinfo?(unicorn.consulting)

Looking good.

We will probably want to also QA this in beta 145 next week so that it gets to 140.x ASAP? (perhaps it's already flagged for QA)

tracking-thunderbird_esr140: --- → +
Flags: needinfo?(toby)
Whiteboard: [datalossy]
See Also: → 1698316

Will coordinate then request uplift

Flags: needinfo?(toby)

Comment on attachment 9506214 [details]
Bug 1978361 - Add support for att.net Oauth2. r=!arschmitz,#thunderbird-reviewers

Uplift Approval Request

  • Please state case for uplift consideration and ensure bug severity is set: Allows users with att.net to configure their accounts on Thunderbird. Major ISP so lots of users.
  • User impact if declined: Users with att.net addresses will have a very difficult time setting up their account.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Daily?: Yes
  • Has the fix been verified in Beta?: Yes
  • Needs manual test from QA?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just changes Oauth settings to enable a new ISP
  • Does the fix cause any migrations to be skipped?: No
  • String changes made/needed:
Attachment #9506214 - Flags: approval-comm-esr140?

Comment on attachment 9506214 [details]
Bug 1978361 - Add support for att.net Oauth2. r=!arschmitz,#thunderbird-reviewers

[Triage Comment]
Approved for esr140

Attachment #9506214 - Flags: approval-comm-esr140? → approval-comm-esr140+
See Also: → 1697805
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: