This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Thunderbird ssl on POP account

  • 3 replies
  • 1 has this problem
  • 14 views
  • Last reply by b_mozilla

more options

Hi;

My email provider says that they support SSL on POP accounts, but not STARTTLS or SSL/TLS, which are what Thunderbird 78.6.0 supports. Is there any way to work around this besides switching providers or going to IMAP?

Attempting to use STARTTLS or SSL/TLS just results in no email being retrieved - no error message.

Hi; My email provider says that they support SSL on POP accounts, but not STARTTLS or SSL/TLS, which are what Thunderbird 78.6.0 supports. Is there any way to work around this besides switching providers or going to IMAP? Attempting to use STARTTLS or SSL/TLS just results in no email being retrieved - no error message.

All Replies (3)

more options

Perhaps your provider has an issue with comprehension, or functioning in the 21st century. SSL is obsolete and has been for quite a number of years, with the last version (SSL3) released in 1996. My understanding is SSL has not been supported out of the box since about 2014. TLS replaced it hence the SSL/TLS option as one was a direct replacement of the other.

The most recent change in Thunderbird 78 is it ceased to support TLS V1.0 and 1.1, but as version 1.2 was released in 2008 and 1.3 in 2018 that s not really all that surprising. But it is truly amazing how many providers are charging folks to use systems that still only have these broken protocols.

You do not provide any information on what provider you use, or the server settings so I can not offer anything specific, only generalities.

There is a config editor setting that can be used to set the minimum and maximum versions, overriding good default security however to enable defective should be see as a short term solution.

The settings are

security.tls.version.min 
security.tls.version.max

The acceptable values for each of these are

0  SSL  3.0  The Default up to TB 33.0
1  TLS  1.0  The default for the minimum required version until Thunderbird 78 released.)
2  TLS  1.1   
3  TLS  1.2  The default for the maximum supported version up to Thunderbird 78.) 
4  TLS  1.3  The current max version supported.
more options

Hi Matt;

thank you for taking the time to respond.

I am using hostmysite.com

When I use the send settings win-mail05.hostmanagement.net 465 SSL/TLS normal password

Thunderbird says: Sending of the message failed. Peer using unsupported version of security protocol. The configuration related to win-mail05.hostmanagement.net must be corrected.

When I use the retrieval settings win-mail05.hostmanagement.net 995 SSL/TLS normal password nothing comes back

The ISP support says they support TLS v1.2 (working on 1.3 but not there yet)


I checked the TLS versions settings and they are what I would expect. security.tls.version.min =3 security.tls.version.max =4

They claim the following work:

    • POP**:

Incoming mail server (hostname): win-mail05.hostmanagement.net Port: 995 with SSL

    • Username:** your full email address
    • Password:** the password for the email address

Outgoing mail server (hostname): win-mail05.hostmanagement.net Port: 465 with SSL Authentication is required

    • Username**: your full email address
    • Password**: the password for the email address

---

    • IMAP:**

Incoming mail server (hostname): win-mail05.hostmanagement.net Port: 993 with SSL

    • Username**: your full email address
    • Password**: the password for the email address

Outgoing mail server (hostname): win-mail05.hostmanagement.net Port: 465 with SSL Authentication is required

    • Username**: your full email address
    • Password**: the password for the email address

Bob

more options

After some experimentation, email downloads using port 995 and SSL/TLS if the security.tls.version.min is set to 1, but not 2.

So, either Thunderbird is having difficulty with identifying & using the TLS version of the email provider or the email provider supports TLS differently than they say.

While I am happy to be using an encrypted protocol for sending a password, this version mismatch still seems odd.

In the case where it doesn't work ( security.tls.version.min=2) the server sent back TLSv1 1270 Server Hello, Certificate, Certificate Status, Server Key Exchange, Server Hello Done which contains a request for Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) and a certificate

In the next packet after that, Thunderbird replied with a fatal alert (70 which means "The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.") - see

Transport Layer Security

   TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
       Content Type: Alert (21)
       Version: TLS 1.0 (0x0301)
       Length: 2
       Alert Message
           Level: Fatal (2)
           Description: Protocol Version (70)

When security.tls.version.min is set to 1, the response from Thunderbird is different:

Transport Layer Security

   TLSv1 Record Layer: Handshake Protocol: Client Key Exchange
       Content Type: Handshake (22)
       Version: TLS 1.0 (0x0301)
       Length: 70
       Handshake Protocol: Client Key Exchange
           Handshake Type: Client Key Exchange (16)
           Length: 66
           EC Diffie-Hellman Client Params
               Pubkey Length: 65
               Pubkey: 040567da4037fcb35067904996267cdaab2f3e18ee25d9a580aa60c8f8bbe191755ee9b3…
   TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
       Content Type: Change Cipher Spec (20)
       Version: TLS 1.0 (0x0301)
       Length: 1
       Change Cipher Spec Message
   TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message
       Content Type: Handshake (22)
       Version: TLS 1.0 (0x0301)
       Length: 48
       Handshake Protocol: Encrypted Handshake Message