Closed Bug 278227 Opened 20 years ago Closed 8 years ago

Thunderbird doesn't check for new messages with secure connection and "secure authentication"

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: innocenti.mauro, Unassigned)

References

Details

Verified in Thunderbird 1.0 for Linux (both standard package "tar.gz" and rpm
package from RedHat Fedora).

The "check for new messages" settings "at startup" and "every NN minutes" don't
work at all (under: Account Settings -> Server Settings).
Manually getting mail work fine.

My POP account is configured for both "secure connection" and "secure
authentication".

Mauro
Component: Preferences → General
Summary: Thunderbird don't check for new messages → Thunderbird doesn't check for new messages
My system: Linux RedHat Fedora Core 3 (Intel Xeon) with all the current updates
applied

Mauro
I have the same problem. 

i work under fedora core 2 (desktop is gnome) and have installed thunderbird
with the thunderbird-1.0.tar.gz package.

my thunderbird installation manages two accounts (one pop3 and one smtp) and
runs 8-9 hours per day.
the manually mail getting works fine for me, two. i only have problems with the
automatically mail checking (for both accounts)
This bug persits on thunderbird 1.0.2...
Still present in thunderbird 1.0.6...
Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720) (RPM with yum update)
----------
- Check for new messages at startup (checked)
- Check for new messages every 5 minutes (checked)
- Automatically download new messages (checked)
(others checkbox not checked for "Server Settings")

I sent message to me. I wait 1 hour... no mail received.
I close and restart Thunderbird, I receive email immediately.

"Check for new messages every xx minutes" is broken. (?)

I sent email to me. I wait 1 hour...
I click to button "Get Mail"...
No Email received... Modem dont send request (no activity LED) to server with Click.
I must use "Get All New Messages" menu from "Get Mail" button.

Button "Get Mail" is broken. (?)

There were no problems with thunderbird 1.0.2 for me.
Strange, today that works!
It happened also for me under win2K in version 1.0.2. After deleting the whole content of the folder 'News & Blogs' located under profiles, it worked again.

Problem still present in version 1.5.0.7. Check at startup work though. Just the periodic check seem to be broken.

I'm using "Secure authentication" like the original poster. Is this a clue?  This is true both under Windows and Linux. The KDC used is MIT Kerberos and the mail server is Cyrus/POP. Kerberos client software is also MIT Kerberos, both under Windows and Linux.

I have tried stuff found on Google like deleting all .msf files and restarting Thunderbird. Did not work. I have even tried woodoo stuff like unchecking the check-for-mail options, restarting three times, checking them again, restarting. Did not work either (hey, I was desperate).

I am experiencing the same problem that Tobias mentioned and am using a similiar configuration of 1.5.0.7, MIT Kerberos against a Cyrus server under Windows XP-SP2.  If I enable Kerberos and Use secure authentication, Thunderbird will check mail inisitally, but will not Automatically download new messages.  The nspr_log of POP3 and negotiateauth shows no activity after the initial download.
  
If you un-check Use Secure Connection and save the password, you can switch to using Secure Authentication and Thunderbird will properly check mail automatically at the interval specified.  I even modified the signon.txt file to have a bogus password just to make sure that Thunderbird was really using the Kerberos credentials.

When we first tried Thunderbird 1.5 Betas, I thought this was working proeprly, but we have had reports of this problem under other versions as well.
QA Contact: general
Dan is this correct?
1. enable Kerberos, Use secure authentication, check mail at login, check mail at X miniutes
2. login and successfully checks and gets mail 
3. automatic check at X minutes fails
4. uncheck secure authentication
5. automatic check mail works

Are results same with a nightly build?
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/

some similarities to bug 332623.
bug 352107 is interestingly reverse behavior (but doesn't involve authentication).

confirming based on multiple reports and not finding an obvious dupe, but this is beyond my area of expertise.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
Summary: Thunderbird doesn't check for new messages → Thunderbird doesn't check for new messages with secure connection and "secure authentication"
(In reply to comment #10)
I tried it with 2.0.0.7pre (20070911) this morning and it still fails. I restarted Thunderbird after turning off Use Secure Authentication just to make sure that it gives me a password prompt rather than a Kerberos prompt.  If you do not have access to a Kerberized mail server and would like to see what is happening for yourself, let me know.  I may be able to let you use my testing account.

> Dan is this correct?
> 1. enable Kerberos, Use secure authentication, check mail at login, check mail
> at X miniutes
> 2. login and successfully checks and gets mail 
> 3. automatic check at X minutes fails
> 4. uncheck secure authentication
> 5. automatic check mail works
> Are results same with a nightly build?
> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/
> some similarities to bug 332623.
> bug 352107 is interestingly reverse behavior (but doesn't involve
> authentication).
> confirming based on multiple reports and not finding an obvious dupe, but this
> is beyond my area of expertise.


Dan, you you tried using the config editor (tools | options | advanced | general | config editor) and toggling network.auth.use-sspi to false, since you're using MIT Kerberos?
Dan, are the steps I listed accurate ?

(mseele hasn't responded so perhaps no longer a problem for mseele)
(In reply to comment #13)
Yes, I followed the steps you listed above (including the SSPI change mentioned by David) and got the results you indicated.
> Dan, are the steps I listed accurate ?
> (mseele hasn't responded so perhaps no longer a problem for mseele)


So far, I've been unable to replicate this.

Okay. Now I've found what I think is the problem. I suspect that this doesn't show up as much with IMAP, rather than POP3, as the IMAP client generally remains connected to the server, rather than reconnecting with each fetch.

I think that fixing it properly is going to require the UI changes I discuss in comment #17 of bug #370178, though.

The problem is the logic in nsMsgBiffManager::PerformBiff. If the server object says that it requires a password, and a password isn't available, then it won't try to fetch mail from that server. The GSSAPI code doesn't change the server object's belief that it requires a password - so this is always true for POP3, meaning that automatic fetches won't work.

There's a couple of ways of fixing this. The first is that, if we perform a successful GSSAPI bind against the server, we set this to false for subsequent calls into that server object. The danger here is that, when your credentials expire, you'll get prompted for a password - which may cause Thunderbird, and the user, pain when that happens from within the automatic fetching process.

The second way is to change the Thunderbid UI so that it knows when you want to talk GSSAPI. This would mean that it could tell whether Biffs without a stored password were safe or not, and would never fallback to a password prompt.

I did have a UI mockup for this approach, and had started on some code. I just can't find which Thunderbird tree I left it in ...

Your thoughts jive with what I saw when I saved a bogus password in my comment #9 above.  

Changing the UI might help in providing a better error message to the end user but would this UI change affect how the SMTP authentication is done. Currently Thunderbird uses the Kerberos credentials if it has them when sending authenticated mail, otherwise it falls back to a password prompt.  

We have been using Kerberos for years and when a user's credentials expire, our users don't have any problems responding to the prompt for Kerberos credentials.  The problem I see without the UI change is that if a user cancels out of the Kerberos authentication prompt Thunderbird would issue a password prompt which could be confusing to an end user.
Depends on: 370178
Assignee: mscott → nobody
What is the status of this bug? I think I have bumped into the same problem. Are there any fixes yet?
Blocks: 511832
Component: General → Security
Mauro, the reporter, writes "I haven't had that problem for a long time."
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.