Fix Thunderbird won’t let you sign in to Gmail

As you may know, I use Thunderbid as may main desktop email program. I use it with various email providers, including Gmail.

Everything worked fine up until this morning. I received mails to the Gmail account and was able to browse mails and compose them as well.

About an hour ago I started to get a popup informing me that I had to sign in to the Google account again.

The dialog did display the URL the request came from, it was a Google URL, so I knew it was legitimate. Also, checking to see if I could still access Gmail content in Thunderbird, I noticed that I could not.

I entered the Gmail email address and password, and was redirected to a "cookies disabled" page instead of the second verification step of two-factor authentication.

I tried again and same result. That was quite puzzling as I did not make any changes to Thunderbird.

When I checked the cookies setting in the email client, I noticed that cookies were disabled. That was the reason for me not being able to sign in and authorize the Gmail account for use in Thunderbird.

Note: While I experienced this with Gmail, you may experience it with other email services that rely on cookies for authentication.

thunderbird cookies gmail

Here is how I fixed the issue:

  1. Open the Thunderbird email client.
  2. Select Tools > Options > Privacy.
  3. Check whether "Accept cookies from sites" is enabled, or if the mail server is listed as an exception.

The accept cookies from sites preference was disabled in Thunderbird. I did not do it, and I'm not sure how it reset itself on its own.

Anyway, I enabled the option again, and made sure that third-party cookies are not allowed. I entered the Google account information again and it worked this time. Got the second authorization step and regained full access to the Gmail account in Thunderbird.

The same method works for any other email account, and also for calendar syncing. If you have added Google Calendar to Thunderbird for instance, you may run into the same issue. You may also use the same fix to correct the issue.

Summary
Article Name
Fix Thunderbird won't let you sign in to Gmail
Description
Find out what you can do if Thunderbird displays a Google sign in popup but won't sign you in to the account because of blocked cookies.
Author
Publisher
Ghacks Technology News
Logo
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Fix Thunderbird won’t let you sign in to Gmail

  1. Armond August 29, 2016 at 4:57 pm #

    accept cookies was enabled for me even after I reset Thunderbird settings by deleteing \AppData\Local\Thunderbird and \AppData\Roaming\Thunderbird. Running 45.2.0.

    • Martin Brinkmann August 29, 2016 at 5:13 pm #

      Thanks for confirming, I suspected as much and it makes sense. Still don't know why cookies were disabled.

  2. intelligencia August 29, 2016 at 8:38 pm #

    This is the reason I don't use Desktop Email clients - - they're too open for man-in-the-middle attacks - - or the real possibility of it happening!
    (just my one cent)

    i

    • Dan August 30, 2016 at 12:05 am #

      Could you please explain why this makes email clients more susceptible to MITM attacks as opposed to webmail? I don't follow.

      • LogicDaemon August 30, 2016 at 6:09 am #

        he can't, it's his prejudice/illusion. A web browser is more vulnerable to MITM than a MUA.

  3. COMSEC August 29, 2016 at 9:02 pm #

    Webmail isn't more secure, though

    • LogicDaemon August 30, 2016 at 6:10 am #

      true, it isn't. Though if implemented properly (or scripts off), it isn't less secure also.

  4. JamesP August 29, 2016 at 9:37 pm #

    I ran into this problem several days ago (Thunderbird 45.2.0). I fixed it by going into Tools/Add-ons/Extensions and disabling Provider for Google Calendar.

    • LogicDaemon August 30, 2016 at 6:06 am #

      Provider for Google Calendar only needed to load calendars from Google using Google-specific API. If you didn't add your Google calendar, it does nothing!

    • George August 31, 2016 at 1:23 am #

      This fixed it for me. Thanks!

  5. Graham August 29, 2016 at 10:29 pm #

    I haven't been able to get into my old Gmail account from Thunderbird for years, no that I need to. Interestingly it turns out my cookies were off too, but it didn't solve the problem. The error I get is "web login required".

    • LogicDaemon August 30, 2016 at 6:04 am #

      First, it means Google want you to login via browser once.

      Second, check account preferences, set oAuth2 as authentication method. Repeat for SMTP. Google blocks plaintext logins for users who didn't use it for a while.

  6. Dan August 30, 2016 at 12:11 am #

    Martin, I recently received an email supposedly from Yahoo that says that they will eventually restrict access to Yahoo Mail to only their Yahoo app and by Webmail. Which means that in the future I can no longer use Thunderbird to access Yahoo Mail. Have you heard of this and is this true? I hope not because I use TBird to access all of my Gmail, Yahoo, Hotmail, AOL, and even riseup emails. If Yahoo Mail wants to be different, then I might not use them as much anymore.

    • yahoo August 30, 2016 at 5:24 am #

      Are you a premium user? I don't remember my Yahoo can access pop/imap.
      I wonder why they're taking the premium feature..

      The disposable address feature is no longer working too, I guess there's no incentive using Yahoo anymore?

      • Dan August 30, 2016 at 7:08 am #

        They started re-allowing free users POP3/IMAP access since 2013 (see Ghacks post on Oct 10, 2013).

        As for disposable addresses, do you mean the aliases? If so, then I can still use mine.

        As for using Yahoo, I must admit I use it much less than ten years ago. Now I just use it as a backup email in case I lose access to my Gmail account. Also for old contacts that still prefer to use Yahoo mail (back when everyone had a Yahoo Messenger account).

      • John August 30, 2016 at 7:22 pm #

        As a (very) long time free yahoo user (since late 90's), I got pop3/smtp/alias access since start, and I still use aliases. Have a whole bunch of them.... which makes it hard to move over to another web mail provider...

    • Martin Brinkmann August 30, 2016 at 5:58 am #

      I have not heard of this, but I'm not a Yahoo user so cannot say for sure. Will keep an eye out for this.

  7. LogicDaemon August 30, 2016 at 6:03 am #

    don't enable all cookies, just add https://accounts.google.com to exceptions!

  8. skyclad August 30, 2016 at 11:47 am #

    Shouldn't you be using an app password for Thunderbird anyway?

  9. Tom Hawack August 30, 2016 at 12:06 pm #

    Thunderbird is my E-mail client but I certainly would not include accounts requiring a cookie to communicate with my emails (TB cookies disabled here). As for Gmail (not used), is this cookie requirement new? First time I hear/read about this issue. There is, as I see it, no legitimacy to require a cookie for managing email and requiring it is another privacy intrusion.

    • LogicDaemon August 30, 2016 at 1:15 pm #

      > Thunderbird is my E-mail client but I certainly would not include accounts requiring a cookie to communicate with my emails (TB cookies disabled here).

      first, cookies not required "to communicate with emails", they only used during oAuth2 web login phase, until Thunderbird receives auth token. There even no method to use cookies during pop/imap/smtp sessions, and mail viewing will only get/send cookies if you allowed loading external resources (which is epic fail on its own and disabling cookies won't save you).

      Second, what bothers you? Google (as any other imap/pop3 provider) have full access to contents of your email, and there are lots of headers for high precision tracking. Adding cookies won't hurt more.

      > As for Gmail (not used), is this cookie requirement new? First time I hear/read about this issue.

      Cookies used during web phase of oAuth2 login, which is only once unless you (or Google) withdraws token. After receiving token, you can disable cookies again.
      Btw, both cookies during login and oAuth2 are good thing from security standpoint. Does your mail provider support oAuth2?

      Though Google still supports plaintext auth for existing users of this scheme (with no cookies in that case), Thunderbird uses oAuth2 by default if providers supports it.

      > There is, as I see it, no legitimacy to require a cookie for managing email and requiring it is another privacy intrusion.

      AFAIR everything which is not forbidden is allowed. So legitimacy is ok.
      Are you using Windows 7 or higher or OSX? Then Google is least of your "privacy intrusions".
      If you're on Linux you're generally safe, but depends on distro too.

      • Tom Hawack August 30, 2016 at 1:34 pm #

        Thanks, LogicDaemon, for this valuable information.

        My position is conducted by the lack of technical knowledge together with a strive to enhance as far as possible privacy and security settings. This can lead to erroneous beliefs and having them corrected by someone who obviously knows what he's talking about is one of the great things about blogs and forums.

        Anyway the other than my ISP email provider doesn't require a cookie, even though it is well advanced in terms of security and privacy (posteo.de). But I'll remember your explanation of the possible worth of a cookie beyond what we often limit it to. OK.

        My rhetoric is also limited by the fact English is not my mother-tongue. I still would have been approximate in my native language though it would have sounded perhaps a bit less naive :)

        Thanks-

        Oh ! Windows 7 here, yes. No Google bashing but I've closed the account when the company started "centralizing" data, April 2014 I think.

        Legitimacy is not legality where indeed "everything which is not forbidden is allowed." :)

      • LogicDaemon August 30, 2016 at 8:06 pm #

        > having them corrected by someone who obviously knows what he's talking about is one of the great things about blogs and forums.

        Totally agree, that's why I don't hesitate to share my opinion and/or conclusions.

        > posteo.de

        I just registered, enabled two factor auth and logged in via imap without second factor.
        FAIL.

        > My rhetoric is also limited by the fact English is not my mother-tongue.

        neither mine. I'm sorry about any broken English I post.

        > Legitimacy is not legality

        ah, okay. Then I currently don't understand this word, sorry.

      • Tom Hawack August 30, 2016 at 8:31 pm #

        @LogicDaemon, an elected president has legal authority but if he hasn't been elected by a majority of citizens one can wonder if his authority is legitimate. Just to give an example.

        Concerning posteo.de you must have mistaked somewhere. No problem here.

        Your English is better than mine :)

      • LogicDaemon August 30, 2016 at 8:32 pm #

        btw, there is justification for cookie during authorization to get oAuth2 token: usually you don't want type same login and password multiple times in a row.
        When you get authenticated, Google saves session data in encrypted cookie, so if you'll want to get another token (for example, for adding google calendar, setting up gContactSync or authorizing Google Tasks, or all this) it will use it and won't ask the password again.
        If you use something like Google Calendar Tab addon, this cookie is vital for persistent login, otherwise you'll have to enter login&password *each time* you open the tab.

        I agree Google could have made the cookie non-mandatory, but as it can be easily removed (or set to save for session only) I don't see any problems here.

      • LogicDaemon August 30, 2016 at 8:35 pm #

        > Concerning posteo.de you must have mistaked somewhere. No problem here.

        Do you have twofactor auth enabled? How do you supply second factor when logging in via Thunderbird?

        I mean, I have enabled two factor auth, which should prevent logging in with password only.
        But still logged in with password only via Thunderbird. This is what I called "fail". If second factor isn't required to login, adding it makes no sense.

      • Tom Hawack August 30, 2016 at 8:46 pm #

        @LogicDaemon, twofactor auth is for logging into posteo.de Web mail, most likely. Because I deal with posteo only from Thunderbird I'm not using the twofactor. When I wrote "no problem here" I should have mentioned when using Thunderbird and assuming posteo.de login fulfills the twofactor auth. Corrected.

      • Tom Hawack August 30, 2016 at 8:52 pm #

        @LogicDaemon, more information concerning posteo's twofactor authentication :
        https://posteo.de/en/help/what-is-two-factor-authentication-and-how-do-i-set-it-up

      • LogicDaemon August 30, 2016 at 9:07 pm #

        @Tom Hawack

        > twofactor auth is for logging into posteo.de Web mail, most likely.

        right, and this is exactly what is wrong.

        Consider that twofactor is implemented to deny malefactors access when they stolen the password (for example, using a keylogger or shoulder surfing). So it must be required for logging in using any method, otherwise it does not serve the purpose.

        See, if anyone steals your password, he still can access your mail even if you enabled two factor auth. Despite two factor auth is exactly what must prevent this.

        In their blog post from 2014 https://posteo.de/en/blog/new-two-factor-authentication-available, they recommend disabling "external programs" support (imap/pop3/smtp protocols) when enabling twofactor, but they're not automatically disabling it nor even warning user that enabling twofactor is not actually enough to enforce it. This is why it's FAIL.

        And their phrase "Two-factor authentication significantly increases the security of webmail access" is just a joke. It's like adding good new lock on one of adjacent doors, and keeping rusty lock on another one.

      • Tom Hawack August 30, 2016 at 9:23 pm #

        @LogicDaemon, I've posted a link to posteo's help page about 2factor authentication but it'll take time to appear so I'll break it hoping it appears live, in case you'd be in a hurry yo set it up correctly :
        posteo.de / en / help / what-is-two-factor-authentication-and-how-do-i-set-it-up

      • Tom Hawack August 30, 2016 at 9:45 pm #

        @LogicDaemon, the help page I mentioned (please do read it) mentions :
        "Tip: If you only use Posteo webmail (i.e. in the browser), you additionally have the ability to block access for email programs. You can find out how this works in How do I activate additional email account protection?"

        Frankly, what more to ask for? The ultimate security will always be logging to an email's client web site. A local email client will never be as secure. Take another well-known webmail client, ProtonMail : with them you can only manage your email from their site!

      • LogicDaemon August 31, 2016 at 7:41 pm #

        @LogicDaemon, the help page I mentioned (please do read it) mentions :
        "> block access for email programs

        I've seen they mentioned same thing in blog post.
        Well, this is a way. Not a good way, unless it can't be secured at all :)
        See, all serious providers don't do this trick: if you enabled twofactor auth, your password is automatically not enough for logging in using any method.

        > Frankly, what more to ask for?

        How about per-app passwords, so usage can be tracked and the can be recalled? So normal password will only work with second factor, and where second factor can't be supplied, special password can be generated on site after logging in to web with two factors.

        > The ultimate security will always be logging to an email's client web site.

        bullshit :) Ever heard about XSS and other attacking methods? It's quite hard to firmly secure webmail. Much easier to secure an POP/IMAP MUA, which could have no JavaScript engine at all.

        > A local email client will never be as secure.

        A local web client is even less so.

        > Take another well-known webmail client, ProtonMail : with them you can only manage your email from their site!

        they have justification: all email stored there is encrypted. And standard protocols, which Thunderbird and other *standard* mail apps use, do not support neither encrypted emails and email headers, nor entering password for decrypting mails. So these technically can't be used with ProtonMail without some kind of proxy anyway.

        ProtonMail have phone app, which is basically MUA with support for encrypted mails. It supports twofactor auth! And they don't let logging in with password only once twofactor auth enabled, no matter what login method is used.

      • LogicDaemon August 31, 2016 at 8:12 pm #

        @Tom Hawack sorry, I confused Protonmail with something else. They don't support twofactor as of now.
        They promise it in September though, and I bet once enabled, it will be enforced for every login method, so password-only won't be enough.

  10. Steve msiska August 30, 2016 at 1:42 pm #

    Hie please send me mails of every new thing that come up!!!

    • Tom Hawack August 30, 2016 at 2:41 pm #

      OK but don't forget to allow cookies if you're with Thunderbird :)
      "Every new thing that comes up"? So many things come up and fall down (more or less) shortly afterwards, you know ...

  11. Ben August 30, 2016 at 1:48 pm #

    No problem here with gmail.
    Cookies are not enabled, nothing changed in the settings since I first installed TB years ago.

    • Tom Hawack August 30, 2016 at 2:30 pm #

      Maybe I'm wondering about nonsense but could the cookie be required by Gmail when email retrieval is IMAP and not POP3? Because if you, Ben, connect to Gmail from Thunderbird with cookies disabled then either you already have a Google cookie (LogicDaemon's comment above : "Cookies used during web phase of oAuth2 login, which is only once unless you (or Google) withdraws token. After receiving token, you can disable cookies again" either the explanation is elsewhere. I'd be happy to understand this mystery.

      • LogicDaemon August 30, 2016 at 7:44 pm #

        It's not IMAP/POP3, it's plaintext/oAuth2 (for all protocols: IMAP, POP3, SMTP)!
        Maybe this will somewhat clear things out: http://imgur.com/YGlGUne

      • Ben August 30, 2016 at 10:21 pm #

        I have no cookies at all in thunderbird and using pop3. And the last time I logged into my account via browser was ~10 years ago or so I guess.

      • Dan September 1, 2016 at 12:13 am #

        I use POP3 only and I also disable cookies (I just checked, no cookies). So yeah, POP3 is good. If POP3 was good enough for me eighteen years ago with Pegasus Mail, it's good enough for me now on TBird. IMAP is hokey on slow connections.

  12. Kin August 31, 2016 at 5:17 pm #

    A tad unrelated to the current news, but is there any follow-up to the story that Thunderbird was looking for a new home?

    • Martin Brinkmann August 31, 2016 at 6:13 pm #

      Nothing new on that front for now. I'll post as soon as I get any info.

Leave a Reply