Thunderbird 91.8.0 makes important changes to Google Mail Accounts
A new version of the open source Thunderbird email client is now available. Thunderbird 91.8.0 includes security updates and makes an important change to Google Mail account authentications
The new version of Thunderbird is already in distribution. It should be installed automatically on most systems in the coming days and weeks. Thunderbird users who want to speed up the process may select Help > About Thunderbird to run a manual check for updates. The update should be picked up by the email client at that point and it will be installed immediately.
The biggest change in the point release changes the authentication method for Google mail accounts. It is an automatic conversion that should work without issues for most users. The conversion to oAuth 2.0 is required as Google plans to drop username and password authentication options for third-party apps and devices on May 30, 2022.
The change improves account security according to Google as it gives users more control over third-party application and site access.
Thunderbird users who have disabled cookies in the email client will notice that the new authentication method does not work without them. It is required to enable cookies as the OAuth token requires it. Cookies may be disabled after the successful authentication, but since cookies will expire eventually, it would be necessary to re-enable them whenever a new cookie needs to be set.
You may check the cookies setting in Thunderbird in the following way:
- Select Tools > Preferences. If you don't see the menu, tap on the Alt-key to display it.
- Select Privacy & Security from the sidebar.
- The setting "Accept cookies from sites" determines if cookies are allowed in Thunderbird. Check the box to enable cookies if it is not checked.
You may want to disable accepting third-party cookies while you are at it. There is also a "show cookies" button that lists all stored cookies. You may remove some of them using the interface.
Other changes in Thunderbird 91.8.0
Thunderbird 91.8.0 includes security fixes. These have not been published publicly yet. You may check the security advisory website of the Thunderbird project later to find out about them. This article will be updated once the information becomes publicly available.
The remaining changes are bug fixes:
- Multiple public PGP keys can now be exported.
- Fixed importing OpenPGP ECC keys importing into GnuPG.
- Fixed opening mid: URLs on Mac OS.
- Replying to a newsgroup message displayed a "No-Reply" popup warnings erroenously.
- Old format address books were loaded as SQLite files, which caused a crash.
- Replicated LDAP directories were lost when Thunderbird was set to run in Offline mode.
- Webcals importing failed from the command line if the file type of the URI ended with .ics.
You can check out the full release notes here.
Just as a point of clarification, older thunderbird versions eg from 36 to 78, already have OAuth 2.0 so they won’t need to do anything. Is that correct? Or will all Thunderbird users have to upgrade to version 91 in order to make Gmail work?
Just as a point of clarification, dump goomail.
You don’t have to do anything if you are using a older version of Thunderbird that currently works with Gmail using OAuth2 authentication. The changes in 91.8.0 are just to make it easier for users to deal with the new requirements.
If you’re using a Gmail POP account with “normal password” be aware that you can’t change it to OAuth2 authentication unless its at least Thunderbird version 68.5.
Probably the new “new” OAuth has a little modification making older versions of thunderbird unusable. You know, they keep moving the goalposts for no reason (like youtube/chrome best compatibility). To be honest, I don’t know why they keep running IMAP/POP, its clearly against their bussiness model.
> Probably the new “new” OAuth has a little modification making older versions of thunderbird unusable.
No, no technical changes to oauth like you suggest. The only change is that gmail REQUIRES oauth.
> Just as a point of clarification, older thunderbird versions eg from 36 to 78, already have OAuth 2.0 so they won’t need to do anything. Is that correct? Or will all Thunderbird users have to upgrade to version 91 in order to make Gmail work?
Google will end support for insecure apps (e.g., older versions of Thunderbird) on May 30 of this year.
Less secure apps & your Google Account – Google Account Help
In short, I believe that Gmail will no longer be available in versions older than Thunderbird 68.
In view of the latest security measures, I strongly recommend that you migrate to the latest version of Thunderbird 91.
Google’s 2-step authentication, “OAuth2” supported by older versions of Thunderbird, is not compatible with the current Google.
Thunderbird 68 or later is required.
In older versions, the authentication method is “Normal Password Authentication” and the application password must be issued on the Google Account side.
So, let’s use Ver. 91.
However, if you install and start Thunderbird 91 out of the blue, trouble is expected to occur because the version is too open.
Important point 1:
Make a backup of your profile first.
In Thunderbird, open Help > Troubleshooting Information and click
Application Basic Information > Profile Folder: “Open Folder” will open the profile folder in use.
Then go up three levels (Roaming folder) and copy the entire Thunderbird folder and paste it somewhere else.
Important point 2:
It is important that the upgrade be done in stages and in sequence.
This is because profile specification changes along the way may not work.
The security database was changed in Ver.52 > Ver.60.
The database of keys required for encryption/decryption of passwords, etc. is key3.db > key4.db
The database of security certificates changed from cert8.db to cert9.db.
If the update is done correctly, the password should be “migrated from the old DB to the new DB”, but if that fails, the password cannot be read from the password manager (i.e., authentication fails), and the password cannot be saved even if it is entered.
Past versions of Thunderbird can be downloaded from
First, install Ver. 52. If there is no abnormality,
then install Ver.60.
Ver. 78 is then installed.
Finally, Ver. 91 is installed, and then the “sequential updating” must be performed.
Note: if you are using add-ons, “legacy add-ons” will no longer be available due to the Thunderbird upgrade.
> However, if you install and start Thunderbird 91 out of the blue, trouble is expected to occur because the version is too open.
Thank you very, VERY much! That is exactly what I did initially (for some reason I had a fairly old version) and I could not figure out why it was stuck in a loop of making me log in to each gmail account and asking to allow Thunderbird… and then not downloading any messages (though gmail obviously knew about it, as it sent a security alert each time). I had followed other instructions to change each account’s settings and the outgoing server settings, and to allow cookies (and I’d looked for passwords to delete, but found the saved password list empty) but it had not helped. I’d actually given up on using Thunderbird for a bit and decided to just try again after a while, in case there was another update or more information.
But, following your instructions to install version 52, then 60, then 78–as soon as I installed 78 and started it, it made me log in and allow one more time, and then started downloading all my messages from the past few weeks.
Yours is the only comment I’ve seen mentioning the need to step through intermediate versions.
Again, thank you.
Thanks for the updates concerning Thunderbird.
I wish they would fix a cosmetic defect in 91.7.0, and I think earlier versions.
In the Message Pane that appears under the messages, in the message header, there are several buttons: reply, forward, junk, Delete, More, Maximize.
Sometimes these buttons are cropped at the top; they appear cut off by the top border line of the message header.
As I was writing this, I toggled the message pane, it went away, so I’m not sure how to reproduce it.
> Sometimes these buttons are cropped at the top; they appear cut off by the top border line of the message header.
I would expect this to be fixed in version 102 in a few months. If it isn’t, please file a bug report https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird
A simple scheme to check/modify new gmail requirements is given by @zipklik
Thank you all for your help. The range of answers suggests that no one is totally sure what is going to happen except that less secure apps is going to be switched off.
To make sure it works properly, I went into my google account and use less secure apps is already switched to off. So I assume that means I will be fine.
By the way, what version of Thunderbird are you using?
As you are probably aware, mail clients are “web clients” and result from therefore vulnerable in the same way as browsers.
Therefore, as a countermeasure for the discovered vulnerability, “Firefox ESR security patches are back ported to Thunderbird” to plug the security hole.
Proper updating is necessary to plug security holes.
If the “difference” between what you are using and the latest version is too large, updating will not be easy. You should update as soon as possible.
@owl I am using version 78.14. Will properly upgrade at some point in the future, when all support for 78 finishes. I believe it is still getting security fixes.
I am relieved to hear that it is not as old as I feared, however, 78 is no longer supported “as of the release of version 91.3 (November 3, 2021)”.
Thunderbird Release Notes — Thunderbird
It is you’re using version 78.x, the legacy add-on issue (legacy add-ons are not available after 78) has been cleared, so recommend update to the latest version.
New in Thunderbird 91 | Thunderbird Help
Mozilla Thunderbird – Wikipedia
> when all support for 78 finishes. I believe it is still getting security fixes
78 stopped getting security fixes in AUGUST 2021 https://www.thunderbird.net/en-US/thunderbird/78.14.0/releasenotes/
What a team of developers can’t do in 15 years, one can in a couple of months. Betterbird, a version of Thunderbird, finally have multi-line view like any other modern client.
What is multi-line view, and why would I want it?
I mean, I assume you don’t mean ‘can show emails with more than one line’ because every client can do that.
> What is multi-line view,
> What a team of developers can’t do in 15 years,
Perhaps he is referring to this:
335310 – Suggest Multi-line Message List display (great in vertical view)
RESOLVED DUPLICATE of bug 213945
213945 – Mail/message listing/thread pane needs more organization in 3 vertical pane view (column wrapping, etc)
Message list multi-line view. Without it, vertical layout makes no sense on laptop screens.
This fix did not work for me. I think there are other steps required, though I don’t know what they might be.
After a little poking around, I found that the update simply changed the authentication method on my outgoing server (smtp.gmail.com) to OAuth2, which I now presume caused the failure. All I did was switch it back to “Normal Password” and now I can send again, but I know this work-around won’t last.
I’m open to other ideas.
Here is a brief explanation.
Google’s authentication method, OAuth2, first accesses Gmail’s authentication page to authenticate the user and give Thunderbird permission to access Gmail.
Then, Gmail registers Thunderbird as a permitted application and gives Thunderbird a key to access it.
The key will be stored in your Thunderbird profile, and you will then be able to access Gmail with it.
Therefore, even if you change your password in Thunderbird’s password manager, you will get an error because the key is not updated unless you re-authenticate.
1. 2-step verification ON in Google account
2. delete “Mozilla Thunderbird Email” from “Apps that can access your account” in your Google account
In Thunderbird, go to Settings > Privacy and Security > “Saved Passwords… (S)” to the “Saved Login Information” screen – delete all login information for the “relevant” Gmail account.
4. receive operation
5. enter new login information for each account
6. allow Thunderbird access
Just checked with BetterBird 91.8.0-bb29 (64-bit) Portable and sending through Gmail works without problems.
Outgoing Server: smtp.gmail.com, Port: 465
Server Name: imap.gmail.com, Port: 993
Connection security: SSL/TLS
Authentication method: OAuth2
OAuth2 enabled in Google setting (Web Browser)? Followed the scheme in the link, I earlier gave?
Why didn’t they automatically enable cookies with this new TB update and/or pop up a notice with a link to the Mozilla KB article?
I wasted hours today trying to send email via Gmail pop3 with the updated TB because I wasn’t aware of this change.
When I finally did a web search, I immediately found this page, so hats off to Martin…!
> Why didn’t they automatically enable cookies with this new TB update and/or pop up a notice with a link to the Mozilla KB article?
Yes, that would have been desirable. But it’s … complicated by localization (we currently can’t change text strings in already released versions) and security concerns. Therefore, it wasn’t possible in this version.
> I wasted hours today trying to send email via Gmail pop3 with the updated TB because I wasn’t aware of this change.
Is the notice missing from your release notes? https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes/
Wow! I heard about the upcoming google Oauth2 debacle…
I have 2 issues:
1. I have read elsewhere that this is LESS secure than using SSL/TLS connection to server and long, rich passwords. I agree. I have systems that are stuck on much older versions that likely will not work with this Oauth2. I also use on MANY older linux systems postfix that use SSL/TLS and long, rich passwords to relay thru a gmail account. I’m now worried that I won’t be able to have any of these systems work after May. I think this Oath2 will screw a lot more people than me and become a serious debacle. What is the gain with Oath2 versus long, rich passwords? Nothing. I guess it is time to leave google/gmail.
2. How does thunderbird interface to AVG, Avast, etc? At one point these scanners ran as a server on the user’s computer. Then TB was configured to connect to the email scanner server on the local address 127.1. Then the scanner was configured to go to the remote mail server with protocol, ports, usernames, passwords, etc. I don’t think these scanners configure with Oauth. Do They?
What about the contemporary email scanners? How do they interface to TB? All the TB config help I find on the web directs one to config directly to the remote mail server. So how does the scanner get in between TB and the remote server to scan the incoming mail? Especially if TB is configured to use SSL/TLS? I can’t find any detail about TB on how it interfaces to these scanners. How are these contemporary scanners going to deal with this Oath2 insertion? Can someone point me somewhere for all of this?
oauth doesn’t fundamentally change how scanners choose to operate
>It is an automatic conversion that should work without issues for most users
In what universe? Thunderbird has updated NOTHING. It has not changed my login method to OAuth2 at all. I’m going to have to do it all manually and hope I don’t get the “too many login attempts” error like I did the first time I tried it and had to change back to password login.
just wanted to post my experience trying to get gmail oauth2 to work …
i’ve been running TB 45 forever and gmail oauth2 definitely didn’t work for me with that version on W7 x64 … i updated to 91.9 and still no dice … i ultimately discovered that NO passwords would save, which of course includes the oauth token … deleting the various suggested TB config files didn’t solve the problem either … it was also NOT practical to recreate accounts from scratch since i had to fix this problem for many clients and myself, and many of us had multiple accounts configured in TB, with many of the accounts containing 30 GB or more emails …
so here’s what i finally came up with to get this upgrade to work reliably:
1. backup copy local/thunderbird and roaming/thunderbird folders
2. run TB 45 and remove all addons
3. empty local/thunderbird
4. delete everything in roaming/thunderbird except: prefs.js, Mail, ImapMail, virtualFolders.dat, folderTree.json, directoryTree.json, *.mab files
5. uninstall TB 45
6. install TB 91.9 x64
7. run TB 91 and when the profile section box pops up,. select the default profile, checking the box to remember it permanently
8. TB 91 will convert all gmail accounts to oauth, so popups for the oauth login procedure will occur for all gmail accounts, so go through the oauth process for each of those, providing the required password and any subsequently requested secondary security verification information via smartphone SMS or secondary security email security code, and also indicate to all other security verification emails that you are the one who initiated these activities
9. you can verify that all conventional passwords and oauth tokens got saved via TB preferences/privacy & security/saved passwords
10. import contacts in all .mab files (which are otherwise obsolete and unrecognized by newer TBs …
10. nice addons are Phoenity Buttons, Phoenity Icons, riseofthetools, search button, lookout (fix version)
11. some old x86 TB leaves behind broken user registry keys regarding TB mailto protocols, so these can be deleted for each logged in Windows user with:
12. TB font sizes can be changed by changing the value of font.size.systemFontScale from 100 to something larger (or smaller) in general/config editor
I have always used thunderbird, but now GMAIL will not long work per google. Goodbye thunderbird. :-(
I prefer the older Thunderbird version because of add-on compatibility.
1. Use Oath2, and it will continue to work.
2. From Google site: Because less secure apps can make your account more vulnerable, Google will automatically turn this setting off if it’s not being used.
–> Make sure that you login regularly.
Thanks Asok Asus . I tried many methods, including removal and fresh reinstall to upgrade from from TB38 to TB91 which all failed until I cleaned up the local/thunderbird and roaming/thunderbird directories as you stated. Your solution above solved the problem.
Solution for simple users who just want to check their gmail with thunderbird …
check your mail accounts setting: “authentication method”
> set to OAuth2 > close > refresh > a pop-up in TB will prompt you to log in
^ if it doesn’t work you’re out of luck and will have to at least ONCE login via web browser and
set over GMAIL that you allow the access of less secure third party apps – then it will work
Since June 8th I cannot use Thunderbird on Gmail:
“Sending of password for [email protected] failed. Mailserver POP.Gmail.com answered: Username and password not accepted.”
Dekleted TB cookies for gmail and even google.com, removed passwords, and set the authentication to OAuth2, and restarted Thunderbird. But that gives me the error that the server does not support this type of authentication ? How is that possible then ?
Try this mozilla page for more understanding:
In the end I can’t tell what helped me. The next morning I tried for the x time to set OAuth2 as authentication method, and all of a sudden I was asked my credentials for gmail, and it all worked.
All of my google accounts auto-converted to OAuth2. One did not. The curious thing is that it works randomly. If I change it to OAuth2 it asks for verification each time. I enter the password and allow thunderbird access. But it just asks again at the next poll.
How can I fix this ?