Thunderbird ssl on POP account
Hi;
My email provider says that they support SSL on POP accounts, but not STARTTLS or SSL/TLS, which are what Thunderbird 78.6.0 supports. Is there any way to work around this besides switching providers or going to IMAP?
Attempting to use STARTTLS or SSL/TLS just results in no email being retrieved - no error message.
All Replies (3)
Perhaps your provider has an issue with comprehension, or functioning in the 21st century. SSL is obsolete and has been for quite a number of years, with the last version (SSL3) released in 1996. My understanding is SSL has not been supported out of the box since about 2014. TLS replaced it hence the SSL/TLS option as one was a direct replacement of the other.
The most recent change in Thunderbird 78 is it ceased to support TLS V1.0 and 1.1, but as version 1.2 was released in 2008 and 1.3 in 2018 that s not really all that surprising. But it is truly amazing how many providers are charging folks to use systems that still only have these broken protocols.
You do not provide any information on what provider you use, or the server settings so I can not offer anything specific, only generalities.
There is a config editor setting that can be used to set the minimum and maximum versions, overriding good default security however to enable defective should be see as a short term solution.
The settings are
security.tls.version.min security.tls.version.max
The acceptable values for each of these are
0 SSL 3.0 The Default up to TB 33.0 1 TLS 1.0 The default for the minimum required version until Thunderbird 78 released.) 2 TLS 1.1 3 TLS 1.2 The default for the maximum supported version up to Thunderbird 78.) 4 TLS 1.3 The current max version supported.
Hi Matt;
thank you for taking the time to respond.
I am using hostmysite.com
When I use the send settings win-mail05.hostmanagement.net 465 SSL/TLS normal password
Thunderbird says: Sending of the message failed. Peer using unsupported version of security protocol. The configuration related to win-mail05.hostmanagement.net must be corrected.
When I use the retrieval settings win-mail05.hostmanagement.net 995 SSL/TLS normal password nothing comes back
The ISP support says they support TLS v1.2 (working on 1.3 but not there yet)
I checked the TLS versions settings and they are what I would expect.
security.tls.version.min =3
security.tls.version.max =4
They claim the following work:
- POP**:
Incoming mail server (hostname): win-mail05.hostmanagement.net Port: 995 with SSL
- Username:** your full email address
- Password:** the password for the email address
Outgoing mail server (hostname): win-mail05.hostmanagement.net Port: 465 with SSL Authentication is required
- Username**: your full email address
- Password**: the password for the email address
---
- IMAP:**
Incoming mail server (hostname): win-mail05.hostmanagement.net Port: 993 with SSL
- Username**: your full email address
- Password**: the password for the email address
Outgoing mail server (hostname): win-mail05.hostmanagement.net Port: 465 with SSL Authentication is required
- Username**: your full email address
- Password**: the password for the email address
Bob
After some experimentation, email downloads using port 995 and SSL/TLS if the security.tls.version.min is set to 1, but not 2.
So, either Thunderbird is having difficulty with identifying & using the TLS version of the email provider or the email provider supports TLS differently than they say.
While I am happy to be using an encrypted protocol for sending a password, this version mismatch still seems odd.
In the case where it doesn't work ( security.tls.version.min=2) the server sent back TLSv1 1270 Server Hello, Certificate, Certificate Status, Server Key Exchange, Server Hello Done which contains a request for Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) and a certificate
In the next packet after that, Thunderbird replied with a fatal alert (70 which means "The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.") - see
Transport Layer Security
TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)
When security.tls.version.min is set to 1, the response from Thunderbird is different:
Transport Layer Security
TLSv1 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 70
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 040567da4037fcb35067904996267cdaab2f3e18ee25d9a580aa60c8f8bbe191755ee9b3…
TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.0 (0x0301)
Length: 1
Change Cipher Spec Message
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 48
Handshake Protocol: Encrypted Handshake Message