Fix Thunderbird won't let you sign in to Gmail
As you may know, I use Thunderbid as may main desktop email program. I use it with various email providers, including Gmail.
Everything worked fine up until this morning. I received mails to the Gmail account and was able to browse mails and compose them as well.
About an hour ago I started to get a popup informing me that I had to sign in to the Google account again.
The dialog did display the URL the request came from, it was a Google URL, so I knew it was legitimate. Also, checking to see if I could still access Gmail content in Thunderbird, I noticed that I could not.
I entered the Gmail email address and password, and was redirected to a "cookies disabled" page instead of the second verification step of two-factor authentication.
I tried again and same result. That was quite puzzling as I did not make any changes to Thunderbird.
When I checked the cookies setting in the email client, I noticed that cookies were disabled. That was the reason for me not being able to sign in and authorize the Gmail account for use in Thunderbird.
Note: While I experienced this with Gmail, you may experience it with other email services that rely on cookies for authentication.
Here is how I fixed the issue:
- Open the Thunderbird email client.
- Select Tools > Options > Privacy.
- Check whether "Accept cookies from sites" is enabled, or if the mail server is listed as an exception.
The accept cookies from sites preference was disabled in Thunderbird. I did not do it, and I'm not sure how it reset itself on its own.
Anyway, I enabled the option again, and made sure that third-party cookies are not allowed. I entered the Google account information again and it worked this time. Got the second authorization step and regained full access to the Gmail account in Thunderbird.
Note that you may also add the Google server to the list of exceptions (imap.googlemail.com) if you prefer to keep cookies disabled for all other services.
The same method works for any other email account, and also for calendar syncing. If you have added Google Calendar to Thunderbird for instance, you may run into the same issue. You may also use the same fix to correct the issue.
Thanks very much for the solution.
I was becoming pretty desperate when I could not activate my email in Thunderbird after a password reconfiguration.
I had set cookies to never accept (because cookies is evil!!) when I installed TB (probably after defining my email-accounts) , obviously afterwards not so smart.
Martin,
Your useful article helped me get my Gmail account working on Thunderbird. Yours was the first I read that suggested that the cookies setting was in the Thunderbird app instead of the browser app. However, in my version of Thunderbird (52.3.0), the Privacy pane was not under Tools/Options, but rather under Thunderbird/Preferences, but the Privacy pane looked the same.
Thanks
Martin,
Thank you very much this was completely on “spot” for me as other solutions were LAME. This was clearly the issue as to why cookies disabled would not go away. I only checked settings in browser, cause it was using browser (I thought) to check site. It makes sense I should have checked options on email client….Duh, but that’s on me.
I really appreciate your doing this succinct direct and helpful article. With in a minute of reading, gmail all down to my computer. Mahalo . (Hawaii thanks)!!!!
After reading your article, I checked my cookie setting. It was set to accept cookies. Yet, I had the same problem you had, Gmail asking me to sing in. This problem began less than a week ago. Possible that the cookie is corrupted? I don’t even know if that is possible.
A tad unrelated to the current news, but is there any follow-up to the story that Thunderbird was looking for a new home?
Nothing new on that front for now. I’ll post as soon as I get any info.
No problem here with gmail.
Cookies are not enabled, nothing changed in the settings since I first installed TB years ago.
Maybe I’m wondering about nonsense but could the cookie be required by Gmail when email retrieval is IMAP and not POP3? Because if you, Ben, connect to Gmail from Thunderbird with cookies disabled then either you already have a Google cookie (LogicDaemon’s comment above : “Cookies used during web phase of oAuth2 login, which is only once unless you (or Google) withdraws token. After receiving token, you can disable cookies again” either the explanation is elsewhere. I’d be happy to understand this mystery.
I use POP3 only and I also disable cookies (I just checked, no cookies). So yeah, POP3 is good. If POP3 was good enough for me eighteen years ago with Pegasus Mail, it’s good enough for me now on TBird. IMAP is hokey on slow connections.
I have no cookies at all in thunderbird and using pop3. And the last time I logged into my account via browser was ~10 years ago or so I guess.
It’s not IMAP/POP3, it’s plaintext/oAuth2 (for all protocols: IMAP, POP3, SMTP)!
Maybe this will somewhat clear things out: http://imgur.com/YGlGUne
Hie please send me mails of every new thing that come up!!!
OK but don’t forget to allow cookies if you’re with Thunderbird :)
“Every new thing that comes up”? So many things come up and fall down (more or less) shortly afterwards, you know …
Thunderbird is my E-mail client but I certainly would not include accounts requiring a cookie to communicate with my emails (TB cookies disabled here). As for Gmail (not used), is this cookie requirement new? First time I hear/read about this issue. There is, as I see it, no legitimacy to require a cookie for managing email and requiring it is another privacy intrusion.
> Thunderbird is my E-mail client but I certainly would not include accounts requiring a cookie to communicate with my emails (TB cookies disabled here).
first, cookies not required “to communicate with emails”, they only used during oAuth2 web login phase, until Thunderbird receives auth token. There even no method to use cookies during pop/imap/smtp sessions, and mail viewing will only get/send cookies if you allowed loading external resources (which is epic fail on its own and disabling cookies won’t save you).
Second, what bothers you? Google (as any other imap/pop3 provider) have full access to contents of your email, and there are lots of headers for high precision tracking. Adding cookies won’t hurt more.
> As for Gmail (not used), is this cookie requirement new? First time I hear/read about this issue.
Cookies used during web phase of oAuth2 login, which is only once unless you (or Google) withdraws token. After receiving token, you can disable cookies again.
Btw, both cookies during login and oAuth2 are good thing from security standpoint. Does your mail provider support oAuth2?
Though Google still supports plaintext auth for existing users of this scheme (with no cookies in that case), Thunderbird uses oAuth2 by default if providers supports it.
> There is, as I see it, no legitimacy to require a cookie for managing email and requiring it is another privacy intrusion.
AFAIR everything which is not forbidden is allowed. So legitimacy is ok.
Are you using Windows 7 or higher or OSX? Then Google is least of your “privacy intrusions”.
If you’re on Linux you’re generally safe, but depends on distro too.
@Tom Hawack sorry, I confused Protonmail with something else. They don’t support twofactor as of now.
They promise it in September though, and I bet once enabled, it will be enforced for every login method, so password-only won’t be enough.
@LogicDaemon, the help page I mentioned (please do read it) mentions :
“> block access for email programs
I’ve seen they mentioned same thing in blog post.
Well, this is a way. Not a good way, unless it can’t be secured at all :)
See, all serious providers don’t do this trick: if you enabled twofactor auth, your password is automatically not enough for logging in using any method.
> Frankly, what more to ask for?
How about per-app passwords, so usage can be tracked and the can be recalled? So normal password will only work with second factor, and where second factor can’t be supplied, special password can be generated on site after logging in to web with two factors.
> The ultimate security will always be logging to an email’s client web site.
bullshit :) Ever heard about XSS and other attacking methods? It’s quite hard to firmly secure webmail. Much easier to secure an POP/IMAP MUA, which could have no JavaScript engine at all.
> A local email client will never be as secure.
A local web client is even less so.
> Take another well-known webmail client, ProtonMail : with them you can only manage your email from their site!
they have justification: all email stored there is encrypted. And standard protocols, which Thunderbird and other *standard* mail apps use, do not support neither encrypted emails and email headers, nor entering password for decrypting mails. So these technically can’t be used with ProtonMail without some kind of proxy anyway.
ProtonMail have phone app, which is basically MUA with support for encrypted mails. It supports twofactor auth! And they don’t let logging in with password only once twofactor auth enabled, no matter what login method is used.
@LogicDaemon, the help page I mentioned (please do read it) mentions :
“Tip: If you only use Posteo webmail (i.e. in the browser), you additionally have the ability to block access for email programs. You can find out how this works in How do I activate additional email account protection?”
Frankly, what more to ask for? The ultimate security will always be logging to an email’s client web site. A local email client will never be as secure. Take another well-known webmail client, ProtonMail : with them you can only manage your email from their site!
@LogicDaemon, I’ve posted a link to posteo’s help page about 2factor authentication but it’ll take time to appear so I’ll break it hoping it appears live, in case you’d be in a hurry yo set it up correctly :
posteo.de / en / help / what-is-two-factor-authentication-and-how-do-i-set-it-up
@Tom Hawack
> twofactor auth is for logging into posteo.de Web mail, most likely.
right, and this is exactly what is wrong.
Consider that twofactor is implemented to deny malefactors access when they stolen the password (for example, using a keylogger or shoulder surfing). So it must be required for logging in using any method, otherwise it does not serve the purpose.
See, if anyone steals your password, he still can access your mail even if you enabled two factor auth. Despite two factor auth is exactly what must prevent this.
In their blog post from 2014 https://posteo.de/en/blog/new-two-factor-authentication-available, they recommend disabling “external programs” support (imap/pop3/smtp protocols) when enabling twofactor, but they’re not automatically disabling it nor even warning user that enabling twofactor is not actually enough to enforce it. This is why it’s FAIL.
And their phrase “Two-factor authentication significantly increases the security of webmail access” is just a joke. It’s like adding good new lock on one of adjacent doors, and keeping rusty lock on another one.
@LogicDaemon, more information concerning posteo’s twofactor authentication :
https://posteo.de/en/help/what-is-two-factor-authentication-and-how-do-i-set-it-up
@LogicDaemon, twofactor auth is for logging into posteo.de Web mail, most likely. Because I deal with posteo only from Thunderbird I’m not using the twofactor. When I wrote “no problem here” I should have mentioned when using Thunderbird and assuming posteo.de login fulfills the twofactor auth. Corrected.
> Concerning posteo.de you must have mistaked somewhere. No problem here.
Do you have twofactor auth enabled? How do you supply second factor when logging in via Thunderbird?
I mean, I have enabled two factor auth, which should prevent logging in with password only.
But still logged in with password only via Thunderbird. This is what I called “fail”. If second factor isn’t required to login, adding it makes no sense.
btw, there is justification for cookie during authorization to get oAuth2 token: usually you don’t want type same login and password multiple times in a row.
When you get authenticated, Google saves session data in encrypted cookie, so if you’ll want to get another token (for example, for adding google calendar, setting up gContactSync or authorizing Google Tasks, or all this) it will use it and won’t ask the password again.
If you use something like Google Calendar Tab addon, this cookie is vital for persistent login, otherwise you’ll have to enter login&password *each time* you open the tab.
I agree Google could have made the cookie non-mandatory, but as it can be easily removed (or set to save for session only) I don’t see any problems here.
@LogicDaemon, an elected president has legal authority but if he hasn’t been elected by a majority of citizens one can wonder if his authority is legitimate. Just to give an example.
Concerning posteo.de you must have mistaked somewhere. No problem here.
Your English is better than mine :)
Haha, well one would guess because you don’t live in the USA you don’t understand the electoral college. Many of presidents haven’t won the popular vote. Read up. If we did not elect the way we do we would have a bunch of d-bags from California and New York making all the countries decisions. Look at the state of both States and re-assess your popular vote statement (ie both in dire straights).
> having them corrected by someone who obviously knows what he’s talking about is one of the great things about blogs and forums.
Totally agree, that’s why I don’t hesitate to share my opinion and/or conclusions.
> posteo.de
I just registered, enabled two factor auth and logged in via imap without second factor.
FAIL.
> My rhetoric is also limited by the fact English is not my mother-tongue.
neither mine. I’m sorry about any broken English I post.
> Legitimacy is not legality
ah, okay. Then I currently don’t understand this word, sorry.
Thanks, LogicDaemon, for this valuable information.
My position is conducted by the lack of technical knowledge together with a strive to enhance as far as possible privacy and security settings. This can lead to erroneous beliefs and having them corrected by someone who obviously knows what he’s talking about is one of the great things about blogs and forums.
Anyway the other than my ISP email provider doesn’t require a cookie, even though it is well advanced in terms of security and privacy (posteo.de). But I’ll remember your explanation of the possible worth of a cookie beyond what we often limit it to. OK.
My rhetoric is also limited by the fact English is not my mother-tongue. I still would have been approximate in my native language though it would have sounded perhaps a bit less naive :)
Thanks-
Oh ! Windows 7 here, yes. No Google bashing but I’ve closed the account when the company started “centralizing” data, April 2014 I think.
Legitimacy is not legality where indeed “everything which is not forbidden is allowed.” :)
Shouldn’t you be using an app password for Thunderbird anyway?
That is no longer necessary.
don’t enable all cookies, just add https://accounts.google.com to exceptions!
Martin, I recently received an email supposedly from Yahoo that says that they will eventually restrict access to Yahoo Mail to only their Yahoo app and by Webmail. Which means that in the future I can no longer use Thunderbird to access Yahoo Mail. Have you heard of this and is this true? I hope not because I use TBird to access all of my Gmail, Yahoo, Hotmail, AOL, and even riseup emails. If Yahoo Mail wants to be different, then I might not use them as much anymore.
I have not heard of this, but I’m not a Yahoo user so cannot say for sure. Will keep an eye out for this.
Are you a premium user? I don’t remember my Yahoo can access pop/imap.
I wonder why they’re taking the premium feature..
The disposable address feature is no longer working too, I guess there’s no incentive using Yahoo anymore?
As a (very) long time free yahoo user (since late 90’s), I got pop3/smtp/alias access since start, and I still use aliases. Have a whole bunch of them…. which makes it hard to move over to another web mail provider…
They started re-allowing free users POP3/IMAP access since 2013 (see Ghacks post on Oct 10, 2013).
As for disposable addresses, do you mean the aliases? If so, then I can still use mine.
As for using Yahoo, I must admit I use it much less than ten years ago. Now I just use it as a backup email in case I lose access to my Gmail account. Also for old contacts that still prefer to use Yahoo mail (back when everyone had a Yahoo Messenger account).
I haven’t been able to get into my old Gmail account from Thunderbird for years, no that I need to. Interestingly it turns out my cookies were off too, but it didn’t solve the problem. The error I get is “web login required”.
First, it means Google want you to login via browser once.
Second, check account preferences, set oAuth2 as authentication method. Repeat for SMTP. Google blocks plaintext logins for users who didn’t use it for a while.
If you have difficulty in opening your google mail in thunderbird, why not just go to Gmail.com and read it there?
I ran into this problem several days ago (Thunderbird 45.2.0). I fixed it by going into Tools/Add-ons/Extensions and disabling Provider for Google Calendar.
This fixed it for me. Thanks!
Provider for Google Calendar only needed to load calendars from Google using Google-specific API. If you didn’t add your Google calendar, it does nothing!
Webmail isn’t more secure, though
true, it isn’t. Though if implemented properly (or scripts off), it isn’t less secure also.
This is the reason I don’t use Desktop Email clients – – they’re too open for man-in-the-middle attacks – – or the real possibility of it happening!
(just my one cent)
i
Could you please explain why this makes email clients more susceptible to MITM attacks as opposed to webmail? I don’t follow.
he can’t, it’s his prejudice/illusion. A web browser is more vulnerable to MITM than a MUA.
accept cookies was enabled for me even after I reset Thunderbird settings by deleteing \AppData\Local\Thunderbird and \AppData\Roaming\Thunderbird. Running 45.2.0.
Thanks for confirming, I suspected as much and it makes sense. Still don’t know why cookies were disabled.