Thunderbird & gmail
I don't understand the article about "Automatic Conversion of Google mail accounts to Oauth2 authentication.
As a gmail POP3 email account user does this mean if I am on Thunderbird 91.8 (or 91.9) I need do nothing about getting an App password from Gmail and when Google forces 2SV upon me Thunderbird will automatically cope with this ? We were told gmail/Google would not accept/allow/permit Oauth2 authentication for POP3 (and therefore we would have to use an App password). Has Thunderbird found a way to deal with this ?
If not and I have to have an App password, can I just edit passwords in Saved Passwords (Password Manager) to insert the App password instead - and will this automatically then be saved; or do I have to delete the passwords, then go through the Get New Mail (and subsequently the Write & Send) to insert the App password and remember to check "save it in passwords" or "use password manager" to get it into the Saved Passwords ? (I get conflicting answers when I search for advice)
Thank you
The image which may be attached belongs to a different question "Thunderbird & icons" but I have been unable to to delete it from here.
Modified
All Replies (11)
I need do nothing about getting an App password from Gmail and when Google forces 2SV upon me Thunderbird will automatically cope with this?
Correct.
We were told gmail/Google would not accept/allow/permit Oauth2 authentication for POP3 (and therefore we would have to use an App password).
Not correct.
Has Thunderbird found a way to deal with this ?
Yes. I don't remember since which version, but it's been quite a while.
Thank you for your response & help which I appreciate.
I have seen that Google themselves still have notification that they will not allow Oauth2 authorisation on POP3 accounts. However you say this is incorrect now.
Are you able to tell me exactly what will happen when gmail institute 2SV on 30 May. (I presume I will know the gmail change has taken place because I won't be able to send or receive, is that correct?) Will Thunderbird automatically convert the authorisation method to Oauth2 or do I need to change the account settings please ? .......
I have seen a recent response by another "Top 10 contributor" to another post (question 1369823) saying "Tools/Account Settings, set the authentication method on the incoming and outgoing servers to OAuth2, then restart TB and enter the account password in the OAuth window to allow TB access." This seems to partly answer (although I think it means the place to go to is Tools-Account Settings-Server Settings-Security Settings for the incoming POP3 server) but I don't understand why it says I have to "enter the account password". I won't have altered the password so why would I have to enter it & where ?
Will I also need to change the smtp server authentication method by going to Account Setting-[emailaccountname]-Default Identity-Outgoing Server, then Edit SMTP server ?
Sorry to be so stupid, but am I correct in understanding that I can simply edit the fields as stated above, close Thunderbird then re-open ? I won't have to delete the email account and recreate it will I ?
Can I change the server authentication to Oauth2 before gmail force 2SV on me or do I have to wait until 2SV is set up/operational on my account please ?
Are you also able to answer the other part of my question please in case I need to change one of my passwords for any reason at some point:- Thunderbird 91: Can I just edit passwords in Saved Passwords (Password Manager) to insert the App password instead - and will this automatically then be saved; or do I have to delete the passwords, then go through the Get New Mail (and subsequently the Write & Send) to insert the App password and remember to check "save it in passwords" or "use password manager" to get it into the Saved Passwords ? (I get conflicting answers when I search for advice)
Thank you very much for your ongoing help.
Modified
Are you able to tell me exactly what will happen when gmail institute 2SV on 30 May.
I'm not sure, but my guess would be you'll have to tap a prompt on your phone, or something similar.
Will Thunderbird automatically convert the authorisation method to Oauth2
Yes, TB 98.8.0 does this, see TB release notes. https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes/
You may want to check your server settings to confirm whether OAuth2 is being used.
I don't understand why it says I have to "enter the account password". I won't have altered the password so why would I have to enter it & where ?
You're being prompted for your credentials the first time you authenticate using OAuth2. As part of the authentication process you'll also be prompted to give permission for Thunderbird to access your Gmail account.
Will I also need to change the smtp server authentication method by going to Account Setting-[emailaccountname]-Default Identity-Outgoing Server, then Edit SMTP server ?
In general, OAuth2 authentication is used for both, the incoming (POP or IMAP) as well as for the outgoing server (SMTP). You'll have to set it manually only if it wasn't converted to OAuth2 automatically.
Can I just edit passwords in Saved Passwords (Password Manager) to insert the App password instead
You don't use an application specific password in connection with OAuth2 authentication. You'll have to use the main Google account password. Thunderbird doesn't remember the actual account password, it just remembers an OAuth2 authentication token. So you can delete any app passwords Thunderbird has remembered after switching to OAuth2 authentication.
You cannot change your account password in Thunderbird. In order to change your account password you'll have to login to your account via webmail and change it on the server. That should then trigger a re-authentication the next time you attempt to send or receive mail with Thunderbird. It may be necessary to delete the old authentication token after changing the account password.
Thank you for your further response.
I'm sorry but I don't really understand part of what you have said.
I am dealing with this change on laptops (not a phone). But perhaps you mean one might get a notification either on a phone (by SMS or something) or by email to the verification/secondary/backup email account.
At the moment the authentication method in Thunderbird is not Oauth2. At the moment my gmail account (on the web) has "2-Step Verification" turned Off. So Thunderbird is working at present with normal authentication.
I suppose in order to use Oauth2 in Thunderbird I either have to change my gmail account setting myself from "2-Step Verification" turned Off to "2-Step Verification" turned On, or wait until Google forcibly change it, rather than trying to change the authentication method beforehand (I don't think Oauth2 appears on the list of authentication methods for this email account in Thunderbird at present)
Are you saying that when it changes to 2SV and Oauth2 then on the first occasion I use it (open Thunderbird) I will have to enter my gmail password again to confirm it is me (ie I will get a pop-up asking me to enter my standard gmail password) ?
Yes I have noticed elsewhere that Oauth2 puts a token password into the Thunderbird Password Manager rather than one's email acccount password.
(Things are not helped for me by the fact that I have more than one gmail, each on a different laptop & some are POP3 and some IMAP. Each laptop has a Thunderbird 91.8 or 91.9 which has its own gmail account in it)
Sorry I don't think I expressed my last question well. My question reading: "Are you also able to answer the other part of my question please in case I need to change one of my passwords for any reason at some point:- Thunderbird 91: Can I just edit passwords in Saved Passwords (Password Manager) to insert the App password instead - and will this automatically then be saved; or do I have to delete the passwords, then go through the Get New Mail (and subsequently the Write & Send) to insert the App password and remember to check "save it in passwords" or "use password manager" to get it into the Saved Passwords ? (I get conflicting answers when I search for advice)" ...... relates to passwords for other email accounts (using standard old-style authentication methods) not gmail or AOL which use Oauth2. I know that to change an email account password I have to go into the actual email account setting on the web. That is not what I mean. What I mean is - If I change my account password using the web account settings (for a non-Oauth2 type account), I then need to update Thunderbird's saved passwords to the new password. So when I want to update the Saved Passwords (in Password Manager) in Thunderbird can I just "edit password" to replace the old webmail-created password with the new webmail-created password - and will this automatically then be saved; or do I have to delete the passwords, then go through the Get New Mail (and subsequently the Write & Send) to insert the revised (new webmail-created) password and remember to check "save it in passwords" or "use password manager" to get it into the Saved Passwords ? (I get conflicting answers when I search for advice on this)
However this has made me realise that for Oauth2 verified accounts where Thunderbird has a saved "token" password, I don't know what happens to this token in Thunderbird if I change my account password using the web account settings. Will Thunderbird simply prompt me to enter the new password on the first instance I open Thunderbird after I changed the account password in my web account (and possibly save a new "token") and then continue thereafter normally ? I think the last part of your response above actually answers this. You are saying Thunderbird will prompt me to enter the new password (re-authenticate). I suppose if the triggered re-authentication creates a new token then the Thunderbird Saved Passwords will automatically overwrite any old token with a new one & save the new one.
Sorry to be so stupid & ask these questions but I am not technology-savvy !
Thanks again for your ongoing help. Much appreciated.
I am dealing with this change on laptops (not a phone). But perhaps you mean one might get a notification either on a phone (by SMS or something) or by email to the verification/secondary/backup email account.
Yes, the phone is just the second factor for authentication.
I suppose in order to use Oauth2 in Thunderbird I either have to change my gmail account setting myself from "2-Step Verification" turned Off to "2-Step Verification" turned On, or wait until Google forcibly change it, rather than trying to change the authentication method beforehand
No, OAuth2 authentication and "2-Step Verification" are two different things. You have to use "2-Step Verification" turned on at some point in June (I believe) as long as you keep using "Normal password" authentication. Google may kill "Normal password" authentication at some point in the future though.
You do not have to turn on "2-Step Verification" when using OAuth2 authentication. Having that said, "2-Step Verification" is a useful and recommended security measure. There was also talk about Google enforcing "2-Step Verification" a while ago, but I don't know if this happened already or not. I do have "2-Step Verification" turned on regardless.
So you can (and should) turn on OAuth2 authentication right away.
(I don't think Oauth2 appears on the list of authentication methods for this email account in Thunderbird at present)
With TB 91.8 or 91.9 OAuth2 authentication is available for Gmail accounts, so you should see it in the list of available authentication methods for your account.
Why OAuth2 authentication has not been turned on automatically for you I don't know.
Are you saying that when it changes to 2SV and Oauth2 then on the first occasion I use it (open Thunderbird) I will have to enter my gmail password again to confirm it is me (ie I will get a pop-up asking me to enter my standard gmail password) ?
This will happen when you turn on Oauth2 authentication, regardless of whether 2SV is on or off.
Things are not helped for me by the fact that I have more than one gmail, each on a different laptop & some are POP3 and some IMAP
OAuth2 authentication is available for both, POP, and IMAP for Gmail accounts.
So when I want to update the Saved Passwords (in Password Manager) in Thunderbird can I just "edit password" to replace the old webmail-created password with the new webmail-created password - and will this automatically then be saved;
Yes, you can do that as long as you use 'Normal password' authentication, but not after switching to OAuth2.
or do I have to delete the passwords, then go through the Get New Mail (and subsequently the Write & Send) to insert the revised (new webmail-created) password and remember to check "save it in passwords" or "use password manager" to get it into the Saved Passwords ? (I get conflicting answers when I search for advice on this)
Deleting the password Thunderbird has remembered basically is just a workaround when the manually edited password isn't recognized properly.
I don't know what happens to this token in Thunderbird if I change my account password using the web account settings. Will Thunderbird simply prompt me to enter the new password on the first instance I open Thunderbird after I changed the account password in my web account (and possibly save a new "token") and then continue thereafter normally ?
This is exactly the way it's supposed to work.
You are saying Thunderbird will prompt me to enter the new password (re-authenticate). I suppose if the triggered re-authentication creates a new token then the Thunderbird Saved Passwords will automatically overwrite any old token with a new one & save the new one.
I believe it just saves the new token, and keeps the old (expired) one, but I'm not exactly sure. In any case, an old token can be deleted. Sometimes this doesn't work, and the new token isn't being recognized. Then you'll have to delete any existing token for the account, and will be prompted to re-authenticate.
Sorry to be so stupid & ask these questions but I am not technology-savvy !
Not stupid at all, you're doing very well.
Modified
Thank you for your response.
2-step verification for gmail will become compulsory on 30 May 2022. Normal password authentication will cease at that point so Oauth2 will be needed.
I believe Oauth2 is not currently available in Thunderbird to an existing user who has not set up 2SV in their webmail gmail account. (I cannot check this at the moment because my personal gmail account is already changed to 2SV on the web and my use of Thunderbird is very recent & post-changing to 2SV). Some of my queries relate to a friend's Thunderbird/gmail which I need to sort out on their behalf.
I guess I'll have to wait & see what happens regarding the token & Thunderbird if I change my account password in my web account settings.
You say: Yes, the phone is just the second factor for authentication. (Sorry I can't work out how to "quote" from your message like you do from mine. All I get is the entire message if I click quote). Heaven knows what people who don't have mobile phones do ! Do you know whether this comes as a text (SMS) ? Not everyone has Smartphone !
On other older style email accounts such as btinternet which use "Normal Password" verification, if I understand you correctly, when I change my email password in the web account settings, I can simply edit the password in the Saved Passwords (in Password Manager) and this will automatically save.
I have to say I find gmail very difficult in Thunderbird. I have several different types of email address (gmail, AOL, btinternet, etc). The others operate in a similar way to one another, but gmail is a law unto itself ! This is particularly true if one operates both a POP3 and IMAP version of the account. It happens that (with the same email address) I use POP3 in Windows Live Mail & IMAP in Thunderbird. Copies of messages sent from WLM using POP3 appear in Thunderbird Sent folder AND the Inbox (and All Mail) despite having Conversation Mode turned off in webmail. And the way it acts with Thunderbird's Move to/Drag & Drop and putting copies in All Mail is completely bizarre ! Totally unlike all the other email providers.
Thanks again
Modified
I'm assuming you are using up to date version of Thunderbird. Do not use 2 step verification.
Do this: Enable cookies:
- Menu app icon > Preferences > Privacy & Security
Under WEb Content
- Select checkbox: 'Accept cookies from sites'
Then change authentication:
- Right click on gmail pop account name in Folder Pane and select 'Settings'
This opens the Account Settings in new tab The pop account name is selected Look bottom right for Outgoing Server (SMTP)
- Click on 'Edit Server _SMTP' button
- Set Authentication Method : OAuth2
- Make sure user name is full gmail address
- Click on OK
- select 'Server Settings'
- Set Authentication Method : OAuth2
- Make sure user name is full gmail address
- Exit Thunderbird and wait a few moments for background processes to complete
- Start Thunderbird
Gmail will prompt you to enter gmail email address and normal password you use to access webmail account. Follow instructions. It will ask this to allow Thunderbird to access server.
An Oauth token will get stored in Thunderbird - same place as passwords and from then onwards Thunderbird will use it to access server.
Thank you for this clear explanation.
The laptop on which I need to deal with this now is not mine.
- I already dealt with mine (Windows 7 on which I had always used Windows Live Mail with POP3 up to this point):- enabled 2SV in my gmail account (because we shall be forced into it anyway by Google on 30 May 2022) then downloaded Thunderbird for the first time on this laptop (I have more than one) and installed gmail in IMAP which of course automatically dealt with the Oauth2 verification. I then added all my other email accounts in IMAP
The one I need to deal with next belongs to a friend & is Windows 10. On this I already downloaded Thunderbird (which is auto-updated) some years ago and installed gmail in POP3.
When I am next in the location where my friend's laptop is I will endeavour to action the method you quote here to update the authentication.
After that I will then need to follow the same process I did on my laptop (indicated by * above) on yet another friend's new Windows 10 laptop (in another location) on which I haven't yet got round to installing Thunderbird.
I'm trying to ensure I have covered every scenario ready to deal with each situation.
Thank you again for your help. It is much appreciated.
re :enabled 2SV in my gmail account (because we shall be forced into it anyway by Google on 30 May 2022)
Just for clarity - No you will not be forced to use 2sv. That is not true.
If you choose to use 'Authentication Method' : 'Normal Password' then you will be forced by gmail to setup 2SV and use an app specific password.
Thunderbird knows this and has set up OAuth2 for both POP and IMAP accounts. If you choose to use 'Authentication Method': 'OAuth2' then you do NOT set up 2SV and you do NOT need app specific password.
Thanks for your post.
Oh dear - as usual I have not expressed myself in the correct manner to be understood by those who are experts in these technical matters.
What Google said was To help keep your account secure, starting May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google or other more secure technologies, like OAuth 2.0.
Google further explained this by saying they themselves would "compulsorily" turn off access to less secure apps on 30 May and one might have to obtain an App password. (Initially they also said they would not support Oauth2 for POP3 protocol which one of the ones I have to deal with is). Then they explained that in order to obtain an App password one would have to turn on 2SV
To my non-technical untutored amateur old person's mind having to use Oath2 and turning on 2SV basically amounted to the same thing - ie Google wouldn't allow Apps without one or other of these authentications to work.
Subsequently I have understood that Thunderbird is able to deal with Oauth2 for both IMAP & POP3 protocols and thanks to the clear explanation in your previous post I understand (I think) how to go about this on one of my friend's laptops.
Nevertheless, whilst I realise this is not a Thunderbird problem & therefore is not appropriate to this support forum, I still have to enable 2SV to get an App password for other applications which don't support Oauth2. This applies to yet another of my friend's laptops.
The images I uploaded into Q1376172 have appeared here. How do I remove from this question whilst leaving in 1376172 (where they had disappeared & I have just re-added) ?
Modified