Open Bug 288185 Opened 20 years ago Updated 16 years ago

POP3 authentication fails if server doesn't expect base64 in AUTHINFO

Categories

(MailNews Core :: Networking: POP, defect)

Product:
MailNews Core
Component:
Networking: POP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

People

(Reporter: colin, Unassigned)

References

Details

Attachments

(3 files)

TB 1.5.0.5 pop debug log
951 bytes, text/plain
Details
TB 1.5.0.5 tcp stream
951 bytes, text/plain
Details
Outlook tcp stream for same acct
286 bytes, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0

I installed both Thunderbird 1.0 and 1.02, the same problem occurs.
After install Thunderbird, it takes all the incoming and outgoing details (for
only 1 of my email accounts, even though I have 2 on Outlook Express), then
prompts me to enter my password.  After entering my password, I get an error
reporting invalid userid/password (Even though I know they are correct).
This happens for both of my email accounts.


Reproducible: Always

Steps to Reproduce:
1. Install Thunderbird 1.0 or 1.02
2. Wait until it has imported all the information and put in the password
3.

Actual Results:  
It fails with error: invalid userid/password

Expected Results:  
Accepted my password and got my mail

I do not know if this is a compatibility problem between Thunderbird and
mail.iscg.net and mail.my-bulldog.com, but the url for information from them,
visit http://www.bulldogdsl.com, and you will need to contact me for the other
ISP            information.
Version: unspecified → 1.0
Clearing confidential flag, not a security exploit.

I'm not a mail person, but it doesn't look like there is enough information here
to diagnose a bug. I recommend getting help narrowing down the problem (which
might be a mail bug, might be a migration bug, might be user error on account
setup) from the free user support options listed at
http://www.mozilla.org/support/#community
Group: security
Whiteboard: [sg:nse]
Windows XP Pro SP2, Athlon 2800+, 1GB PC3200, Radeon 9800 Pro (128MB)

I get this error  (server reports incorrect password)when there are no new 
messages on the server (wowway.com) If I get mail later and there are new 
messages it seens to work ok to retreive them.
I believe that I can shed some light on this issue.  At least I hope so, as I have the same problem.  I happen to have etheral and thunderbird installed on each of two laptops.  On one, I have thunderbird 0.7 while the other has version 1.6a1.  Interestingly, 0.7 authenticates without any trouble.  Here's what I see when I use 0.7:

Request: CAPA
Response: +OK Capability list follows (Same as below)
Request: USER ______
Response: +OK Welcome
Request: PASS ______
Response: +OK maildrop locked and ready

when I use 1.5, I see:

Request: CAPA
Response: +OK Capability list follows
          TOP
          USER
          SASL LOGIN PLAIN
          RESP-CODES
          LOGIN-DELAY
          PIPELINING
          EXPIRE 30 USER
          UIDL
          IMPLEMENTATION Ipswitch_Imail_5.0
Request: AUTH PLAIN
Continuation
Request: azE5ajQyZw==
Continuation
Request: USER ______
Response: -ERR Invalid userid/password
Request: PASS ______
Response: -ERR Not in authorization state

If thunderbird and the server are both using plain text authorization, why were my user and password fields encoded in base64?  I believe that rfc 2595 adequately describes 'auth plain' as sending plain-text user and password fields.
Hello there,

I have the same problem using Windows XP Professional [5.1.2600] with TB 1.5 20051201. The correct login und pw are saved by TB, but the problem also occurs, when pw is not saved. The first time TB fetches Mail itself, everything works fine. When I click on the Button to get my mail i get 6 times the message: error sending password. Mailserver pop3.webpage.t.com.de answered: logon failure. unknown username or bad password. After the 6th error-message I get my Mail from t-com. I have 2 accounts at freenet working without problems and 3 accounts at t-com. I already phoned to t-com, but they say, their server´s working fine, because I get my mail. I should try latest the version of TB or Outlook Express.
Same problem occurs on one of my POP accounts.

The account works in Outlook, but fails every time in TB 1.5.0.5.

Attached is a TB debug log, an Ethereal tcp trace of TB and an Ethereal trace of Outlook.  The only changes to the files were for removing passwords, adding "Request: ", adding "Response: " and removing blank lines.

TB stream:

Response: +OK X1 NT-POP3 Server emailsrvr.tiv.com (IMail 7.07 9409-1)
Request: AUTH
Response: -ERR authentication exchange failed
Request: CAPA
Response: +OK Capability list follows
TOP
USER
SASL LOGIN PLAIN CRAM-MD5
RESP-CODES
LOGIN-DELAY 120
PIPELINING
EXPIRE 30 USER
UIDL
IMPLEMENTATION Ipswitch_IMail_6.0
.
Request: AUTH PLAIN
Response: + VXNlcm5hbWU6
Request: YmpvbmVz
Response: + UGFzc3dvcmQ6
Request: USER bjones
Response: -ERR Invalid userid/password
Request: PASS pswdpswdpa
Response: -ERR Not in authorization state

Outlook stream:

Response: +OK X1 NT-POP3 Server emailsrvr.tiv.com (IMail 7.07 9333-1)
Request: USER bjones
Response: +OK send your password
Request: PASS pswdpswdpa
Response: +OK maildrop locked and ready
Request: STAT
Response: +OK 0 0
Request: QUIT
Response: +OK POP3 Server saying Good-Bye
Attached file TB 1.5.0.5 pop debug log — 

    
    

    
  

      
      
      
      

        Attached file
          
        TB 1.5.0.5 tcp stream
        — 
      

    


  

    
    

    
  


  

    
    

    
  
Some versions of the Ipswitch mail server are broken with respect to some authentication mechanisms  and it looks like you're running into that.

auth plain is base64 encoded by definition.

Outlook is not even trying auth plain, which is why it doesn't have this problem.

You can turn off auth login by setting a hidden pref using the config editor in tools | options | advanced

  set "mail.server.serverX.auth_login" to false
where X is the server number for the server you're having this issue with.

hope this helps!
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME

    
    

    
  
You rock!  That did the trick.  Thanks.

    
    

    
  
(In reply to comment #10)
> Some versions of the Ipswitch mail server are broken with respect to some
> authentication mechanisms  and it looks like you're running into that.
> 
> auth plain is base64 encoded by definition.


While I can confirm that the hidden pref worked for me, I'd like clarification of your statement that 'auth plain is base64 encoded by definition'.   Can you provide a reference to the formal definition that you are using?

    
    

    
  
I was basing it on the code :-) , but here's one reference: http://www.exim.org/exim-html-4.20/doc/html/spec_33.html



    
    

    
  
Excellent.  Some of the text in your exim reference appears to have been lifted directly from the formal specification RFC-2554 (http://www.faqs.org/rfcs/rfc2554.html).  That certainly demonstrates that the exim authors intended to implement that rfc.

The only issue is that RFC2554 (and exim for that matter) implement the SMTP protocol.  This bug has to do with authentication to a POP3 account so SMTP (RFC-2554) is the wrong standard.  Thunderbird needs to implement the RFC-2595 standard when connecting to a POP3 server.

The problem is that RFC-2595 provides a different definition for the auth command.  Quoting from it, "The mechanism consists of a single message from the client to the
   server.  The client sends the authorization identity (identity to
   login as), followed by a US-ASCII NUL character, followed by the
   authentication identity (identity whose password will be used),
   followed by a US-ASCII NUL character, followed by the clear-text
   password."

From what I've seen, I believe that this bug should be re-opened.



    
    

    
  
unfortunately, every other imap and pop3 server that I know of seem to expect the auth plain username+password to be base64 encoded. Do you know of any that don't, besides this one?

    
    

    
  
In all honestly, I don't know of any but that's because I've never sought them out.  I'm been giving this some thought, and while your question is reasonable, is it central to the issue?  Better questions might be, "Are enought people unable to login that its effecting Thunderbird's reputation?", "Do the people who can't login submit bug reports that consume valuable development time?", etc.

I've listed three possible solutions.  I'm sure that others exist but these should be representative.  I personally prefer the last but that's just me.

1) Leave things just as they are.  Those people who can't authenticate will abandon Thunderbird (as I did until receiving your solution).  I seriously doubt that many will take the time to find this bug report.

2) Formally document the auth_login preference.  That may help retain some people but, I suspect, not very many.  Most people seem to expect software to just work.  If it won't even connect to the server, I believe that they'll give up without reading the documentation.

3) Change Thunderbird to perform both types of auth commands.  I've given some thought to this idea.  All of the difficult pieces are already written, they just need to be tied together.  Here's one possible algorithm...

 Examine the auth_login pref to determine whether its value is UNSET, TRUE, or FALSE.

 If TRUE then
   send the auth command using base64 encoding.
 else if FALSE then
   send the auth command using plain-text.
 else if UNSET then
   send the auth command using base64

   if the user authenticates successfully then
     set the auth_login preference to TRUE
   else
     repeat the authentication sequence sending the auth command using plain-text
     
     if the user authenticates successfully then
       set the auth_login preference to FALSE
     end if
   end if
 end if

With this algorithm, Thunderbird makes two authentication attempts for each login until the user successfully authenticates.  Once they've authenticated, Thunderbird locks in the proper auth command to authenticate them in the future.



    
    

    
  
In Finland our major isp has some servers that cause the exactly same problem with Thunderbird and several people have been asking what to do and propably even more are just stopping using Thunderbird because of this. Those people speak poorly English or are not technical enough to use bugzilla, so I desided to write for them. I have also experienced this problem and the workaround in #10 worked for me also. 

So I would like that this bug would be reopened and some workaround would be implemented for it. I will also try to contact the isp in hope that they would fix their servers, as they seem to have some of their servers working already there is a small hope that they will do this. 

    
    

    
  
Reijo - are they using the ipswitch mail servers? Can you get a pop3 protocol log?

    
    

    
  
(In reply to comment #18)
> Can you get a pop3 protocol log?

No I can't. I tried instructions mentioned in here: http://www-stage.mozilla.org/quality/mailnews/mail-troubleshoot.html

I tried 1.5.0.5 and 1.5.0.7 on Windows, 1.5.0.x on Linux and latest trunk (3.0a) on Linux, and all of othem produced just empty logfile. I don't understand what I'm doing wrong. The empty file is created even when testing with succesfull connection. Here is one example I tried in Windows:
set NSPR_LOG_MODULES=protocol:5
set NSPR_LOG_FILE=c:\tmp\filename
start D:\Ohjelmatiedostot\Mozilla\Thunderbird\thunderbird.exe

If you can advice how to get this log, I'm happy to give it. Hopefully it doesn't include compiling Thunderbird, but I could try that on Linux also if nothing else helps.

    
    

    
  
(In reply to comment #19)

try

set NSPR_LOG_MODULES=pop3:5
set NSPR_LOG_FILE=c:\tmp\filename
start D:\Ohjelmatiedostot\Mozilla\Thunderbird\thunderbird.exe

I made the same mistake. I guess the documentation could be clearer.


    
    

    
  
Here is the log from Windows-version, when it fails to retrieve new messages from the server (There is propably also start from second login attemt with it):

0[2c4700]: Entering NET_ProcessPop3 134
0[2c4700]: POP3: Entering state: 1
0[2c4700]: POP3: Entering state: 2
0[2c4700]: POP3: Entering state: 4
0[2c4700]: RECV: +OK AVG POP3 Proxy Server <24180AB488E4022533B40AD5219DC6D474AB9741@pne-msproxy3-sn1.fre.skanova.net> 7.1.400/7.1.407 [268.13.0/465]
0[2c4700]: POP3: Entering state: 29
0[2c4700]: SEND: AUTH

0[2c4700]: Entering NET_ProcessPop3 69
0[2c4700]: POP3: Entering state: 3
0[2c4700]: RECV: +OK list of SASL extensions follows
0[2c4700]: POP3: Entering state: 30
0[2c4700]: RECV: CRAM-MD5
0[2c4700]: POP3: Entering state: 30
0[2c4700]: RECV: DIGEST-MD5
0[2c4700]: POP3: Entering state: 30
0[2c4700]: RECV: PLAIN
0[2c4700]: POP3: Entering state: 30
0[2c4700]: RECV: .
0[2c4700]: POP3: Entering state: 31
0[2c4700]: SEND: CAPA

0[2c4700]: Entering NET_ProcessPop3 152
0[2c4700]: POP3: Entering state: 3
0[2c4700]: RECV: +OK Capability list follows
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: TOP
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: RESP-CODES
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: USER
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: SASL CRAM-MD5 DIGEST-MD5 PLAIN
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: PIPELINING
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: UIDL
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: IMPLEMENTATION CPMS-7.2.060.1
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: AUTH-RESP-CODE
0[2c4700]: POP3: Entering state: 32
0[2c4700]: RECV: .
0[2c4700]: POP3: Entering state: 33
0[2c4700]: POP3: Entering state: 5
0[2c4700]: SEND: AUTH PLAIN

0[2c4700]: Entering NET_ProcessPop3 12
0[2c4700]: POP3: Entering state: 3
0[2c4700]: RECV: + go ahead
0[2c4700]: POP3: Entering state: 34
0[2c4700]: POP3: Entering state: 6
0[2c4700]: Logging suppressed for this command (it probably contained authentication information)
0[2c4700]: Entering NET_ProcessPop3 38
0[2c4700]: POP3: Entering state: 3
0[2c4700]: RECV: -ERR [AUTH] invalid user or password
0[2c4700]: POP3: Entering state: 34
0[2c4700]: POP3: Entering state: 24
0[2c4700]: POP3: Entering state: 0

    
    

    
  
I think you've got a virus checker proxy server in the way so I can't tell what the pop3 server really is.

    
    

    
  
I can't get the error anymore so I assume that the isp actually did something for that server (I assume I was not the only one contacting them about this issue.) so I can't get a new log at the moment. 

But even I'm not currently having the problem at the moment I am afraid that it will at some point come back haunting. I do think that there should be some kind of fix for this issue on Thunderbird also. For example when auth fails, the program could try disabling the auth_login and testing connection again.

If disabling it is considered a security issue, the program could at least ask the user what to do and provide an easy "click here" method to work around the problem. 

    
    

    
  
*** Bug 356920 has been marked as a duplicate of this bug. ***

    
    

    
  
I do think we should do something about this...
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---

    
    

    
  
I am having this same problem with TB 1.5.0.9 (20061207) and XP Pro SP2.  I have three other email accounts that work flawlessly, but after setting up a new one last night, I cannot get TB to access it.  I have communicated with my ISP at length and there is no problem there.  I use MailWasher, and it finds the account and reports that there are two emails on the server.  I have verified the login data multiple times and still no success.  I checked the fix suggested in Comment #10, but that line does not appear in the Config.  What now???

    
    

    
  
First of all, you need to add that setting to the config, and you need to make sure you use the right X for serverX.

    
    

    
  
OK... I added the line to the config, but still no success.  I did exit Thunderbird and restart, as well as being sure that both the login and password are correct.

    
    

    
  
...and yes I did make sure that I used the right X for serverX.

    
    

    
  
you could always try the instructions for generating a protocol log in https://bugzilla.mozilla.org/show_bug.cgi?id=288185#c20 - it's unclear to me what specific problem you're having...

    
    

    
  
Sorry... I thought I made it more clear.  I set up a new email account (I have three others working properly) and every time I try to get my mail I get the following error message: "Sending of password did not succeed.  Mail server pop.surewest.net responded: Message Server said: Invalid login".  The username and password are correct.  I am not familiar with generating a protocol log, but I can try if that is necessary.

    
    

    
  
OK... I managed to do it... here is the logfile.

0[274818]: Entering NET_ProcessPop3 47
0[274818]: POP3: Entering state: 1
0[274818]: POP3: Entering state: 2
0[274818]: POP3: Entering state: 4
0[274818]: RECV: +OK Mirapoint POP3PROXY 3.7.0-GA server ready
0[274818]: POP3: Entering state: 29
0[274818]: SEND: AUTH

0[274818]: Entering NET_ProcessPop3 45
0[274818]: POP3: Entering state: 3
0[274818]: RECV: +OK List of supported mechanisms follows
0[274818]: POP3: Entering state: 30
0[274818]: RECV: .
0[274818]: POP3: Entering state: 31
0[274818]: SEND: CAPA

0[274818]: Entering NET_ProcessPop3 27
0[274818]: POP3: Entering state: 3
0[274818]: RECV: -ERR Unrecognized command
0[274818]: POP3: Entering state: 32
0[274818]: POP3: Entering state: 33
0[274818]: POP3: Entering state: 5
0[274818]: SEND: USER wolfram

0[274818]: Entering NET_ProcessPop3 29
0[274818]: POP3: Entering state: 3
0[274818]: RECV: +OK Name is a valid mailbox
0[274818]: POP3: Entering state: 34
0[274818]: POP3: Entering state: 6
0[274818]: Logging suppressed for this command (it probably contained authentication information)
0[274818]: Entering NET_ProcessPop3 31
0[274818]: POP3: Entering state: 3
0[274818]: RECV: +OK Maildrop locked and ready
0[274818]: POP3: Entering state: 34
0[274818]: POP3: Entering state: 7
0[274818]: SEND: STAT

0[274818]: Entering NET_ProcessPop3 9
0[274818]: POP3: Entering state: 3
0[274818]: RECV: +OK 0 0
0[274818]: POP3: Entering state: 8
0[274818]: POP3: Entering state: 22
0[274818]: SEND: QUIT

0[274818]: Entering NET_ProcessPop3 5
0[274818]: POP3: Entering state: 3
0[274818]: RECV: +OK
0[274818]: POP3: Entering state: 43
0[274818]: POP3: Entering state: 23
0[274818]: POP3: Entering state: 25
0[274818]: Entering NET_ProcessPop3 47
0[274818]: POP3: Entering state: 1
0[274818]: POP3: Entering state: 2
0[274818]: POP3: Entering state: 4
0[274818]: RECV: +OK Mirapoint POP3PROXY 3.7.0-GA server ready
0[274818]: POP3: Entering state: 29
0[274818]: SEND: AUTH

0[274818]: Entering NET_ProcessPop3 45
0[274818]: POP3: Entering state: 3
0[274818]: RECV: +OK List of supported mechanisms follows
0[274818]: POP3: Entering state: 30
0[274818]: RECV: .
0[274818]: POP3: Entering state: 31
0[274818]: SEND: CAPA

0[274818]: Entering NET_ProcessPop3 27
0[274818]: POP3: Entering state: 3
0[274818]: RECV: -ERR Unrecognized command
0[274818]: POP3: Entering state: 32
0[274818]: POP3: Entering state: 33
0[274818]: POP3: Entering state: 5
0[274818]: SEND: USER wolftrax

0[274818]: Entering NET_ProcessPop3 29
0[274818]: POP3: Entering state: 3
0[274818]: RECV: +OK Name is a valid mailbox
0[274818]: POP3: Entering state: 34
0[274818]: POP3: Entering state: 6
0[274818]: Logging suppressed for this command (it probably contained authentication information)
0[274818]: Entering NET_ProcessPop3 41
0[274818]: POP3: Entering state: 3
0[274818]: RECV: -ERR Message Server said: Invalid login
0[274818]: POP3: Entering state: 34
0[274818]: POP3: Entering state: 24
0[274818]: POP3: Entering state: 0
0[274818]: POP3: Entering state: 25


    
    

    
  
is TB prompting for the password each time? Does the password contain any non alphanumeric characters, e.g., characters with accents? The authentication mechanism used (USER xxx PASSWORD xxx) is pretty straightforward.

    
    

    
  
Yes, TB does prompt for the password each time.  The password is merely 5 digits and 4 lowercase letters.  Similar to what I use with all of the other mail accounts.

    
    

    
  
Today I changed the password with my ISP to one with 5 lowercase letters and 4 digits, to see if that would make any difference.  Still the same problem.

    
    

    
  
have you tried telnetting to the pop3 port on the server and logging on manually?  I'm reasonably sure that TB handles USER PASS w/o a problem.

so, something like

telnet <server name> 110  (the pop3 port is 110) 

user <username> 
pass <password>

Mirapoint POP3PROXY 3.7.0-GA server ready

I suspect the pop3 proxy might be involved with the problem...

    
    

    
  
Telnetting is something I am not familiar with, but I am willing to try.  I do know that the tech at my ISP can log onto the server with my username and password with no problem.

    
    

    
  
I just got the problem solved.  I had to use the full email address in the "username" of Thunderbird.  I was on the phone with a tech at my ISP and he said it had to be that way.  What he couldn't tell me is why it is necessary for just this new address and not the other two that I have.  He says that they are on the same server, too.

Thanks for your help!
Whiteboard: [sg:nse]
QA Contact: account-manager

    
    

    
  
David, from what I understand, two separate POP login problems are in this bug:

1. Some POP3 servers expect AUTHINFO to not be base64.
2. Ron's problem which is INVALID and out of scope.

Would you rather:
A) RESO INCO this bug and open a new bug on the AUTHINFO/base64 problem.
B) confirm this bug and change the summary to reflect the problem better?

(moving bug to Core -> Networking: POP as that is what this problem really is)
Assignee: mscott → nobody
Component: Account Manager → Networking: POP
OS: Windows XP → All
Product: Thunderbird → Core
QA Contact: account-manager → networking.pop
Hardware: PC → All
Version: 1.0 → unspecified

    
    

    
  
Joshua, I think B is better, thx.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: POP3 password failed with error invalid userid/password → POP3 authentication fails if server doesn't expect base64 in AUTHINFO
Product: Core → MailNews Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: