You are not logged in.
Is anybody else having problems accessing their Yahoo or GMail accounts using Thunderbird.
This problem has only occured in the last week or two and applies to Yahoo, GMail and outlook. Thunderbird is still working for primary EMail account, so I don't know if its a thunderbird issue or whether all three companies updated their security policies.
I know that Yahoo in the name of "updated security" is blocking "less secure" clients, which I assume is an excuse for forcing people to use their ad-infected crap. Yahoo also seems to have disabled mail fowarding
which would have been a good workaround for backing up Yahoo mail.
Thanks
Live Free or Die !
Offline
POP+SMTP or IMAP?
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
Gmail and Thunderbird, no issues -- including signing and encryption via GPG. Is Yahoo still around? All know is they won't deliver our forum email and won't respond to inquiries as to why; I thought they had ceased to exist.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
POP+SMTP or IMAP?
I was using IMAP, but I also tried POP with no success.
Live Free or Die !
Offline
Gmail and Thunderbird, no issues -- including signing and encryption via GPG. Is Yahoo still around? All know is they won't deliver our forum email and won't respond to inquiries as to why; I thought they had ceased to exist.
I believe Yahoo is still in the process of being sold to Verizon which took a detour after Yahoo's security problems became public. Yahoo had really been a great resource int the 1990's but sadly has changed for the worse. What can you say about a company that blocks mail fowarding: $@$*$* !
For increased security I tried installing thunderbird-enigmail, which failed due to: "One or more PGP signatures could not be verified!"
Thanks
Live Free or Die !
Offline
you need to allow "insecure" clients on gmail as well:
http://www.ghacks.net/2014/07/21/gmail- … le-access/
But thunderbird should receive and post a message from gmail (incl. a link on the topic)
@ewaller, google "yahoo DMARC" - luckily yahoo is now as good as dead ...
Offline
you need to allow "insecure" clients on gmail as well:
http://www.ghacks.net/2014/07/21/gmail- … le-access/But thunderbird should receive and post a message from gmail (incl. a link on the topic)
@ewaller, google "yahoo DMARC" - luckily yahoo is now as good as dead ...
Sorry, I forget to write that I had already changed to setting to allow less secure clients. I went back and forth on that and it didn't change a thing. I never received any EMail from Yahoo or Google other than EMails from Yahoo stating that my security settings were changed.
The mistakes made at Yahoo the past few years have been mind boggling, and if Verizon goes ahead with the purchase it will be a marriage made in hell. The joke is that all I'm trying to do is back up many years of email and say good riddance to a one great web site. I suspect that Yahoo is blocking all third party clients and not just less secure clients.
Thanks
Live Free or Die !
Offline
There is no need to enable "insecure" clients. For Thunderbird authenticate with OAuth2 protocol. And for clients that does not support OAuth2 you can still avoid enabling the "insecure" option by making a password for custom application (for example for msmtp).
Offline
The msmtp wiki says "Enable two factor authentication and create an app password" and I frankly fail to understand the implication of that.
Assuming adding more passwords (depending on the totally not fakable useragent) would any security: what does that have to do with two factor authentication, were google would like to send me SMS - or even voicecall me? for a TAN?
Have you actually done this?
Offline
Usually I'm way too tenacious to give up, but I've wasted too much time on this already for something that doesn't have that much importance right now. When I finally kill my Yahoo account I won't be losing any important emails. Thunderbird is working fine for my primary email which is what I really care about.
When I get a chance I'll take another look at configuring GMail to work with Thunderbird. My GMail account is very low volume and nothing of great importance.
Thanks for the help
Larry
Live Free or Die !
Offline
Offline
empty
Last edited by infinarchy (2017-11-04 21:37:47)
Offline
1.500.000.000+ Yahoo! accounts got hacked in the last year.
In my opinion you shouldn't use Yahoo! at all.
I could not agree with you more!!!
The only reason I cared was to sync Thunderbird with Yahoo and backup or save all my EMail.
The next step was to migrate all registrations with my Yahoo EMail to a different EMail Address.
The final step will be to kill the Yahoo account.
I cannot even image what will happen to Yahoo if Verizon does buy it. I have Verizon FIOS, so I know what their web and TV interfaces are like.
PS: Yahoo is not the only popular company I don't trust.
Thanks
Live Free or Die !
Offline
There is no need to enable "insecure" clients. For Thunderbird authenticate with OAuth2 protocol. And for clients that does not support OAuth2 you can still avoid enabling the "insecure" option by making a password for custom application (for example for msmtp).
There is no such option as OAuth2 in my thunderbird, are you using it yourself?
I've been using TB+gmail here without any problems. 2FA is active on gmail and obviously I had to create app passwords and so far I've had no problems.
Edit:
Thunderbird does have the OAuth2 option, for smtp I can select it when creating a new account or change it for an existing account, however it seems I can only select it for POP/IMAP when creating a new account, it does not show on the list for an existing account.
Last edited by R00KIE (2017-03-06 12:00:02)
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
Edit:
Thunderbird does have the OAuth2 option, for smtp I can select it when creating a new account or change it for an existing account, however it seems I can only select it for POP/IMAP when creating a new account, it does not show on the list for an existing account.
Albeit being my favorite software for the respective job, Thunderbird is a huge feature dripping clusterfuck.
Offline
All problems got solved by changing my router setting from high security to medium security, leaving all settings as they were. I'm confused because I definitely would have noticed if the problems occurred soon after changing settings. I know I always check to make sure that things are working after making changes. Besides its been quite a while since I changed the router settings. Oh Well.
Thanks for the help.
Larry
Live Free or Die !
Offline
The msmtp wiki says "Enable two factor authentication and create an app password" and I frankly fail to understand the implication of that.
Assuming adding more passwords (depending on the totally not fakable useragent) would any security: what does that have to do with two factor authentication, were google would like to send me SMS - or even voicecall me? for a TAN?Have you actually done this?
App passwords are an alternative security path for clients which don't support 2 factor. A randomly generated password used only for that app (and labeled as such in your gmail security settings).
This reduces the threat surface because the user themselves do not write down or remember the password, and the password can only be used by that app (i.e. having that password does not, IIRC, allow login to gmail, only access to the emails themselves (which you would have access to if you crack the app using it anyway).
And you can cut off access to app passwords if you lose a device or find it's compromised. Basically much better than using one password (however complex) without 2-factor, and a pretty good in-between overall.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
App passwords are an alternative security path for clients which don't support 2 factor.
Then why should I pass google my phone number to activate this?
This reduces the threat surface because the user themselves do not write down or remember the password
... like in ~/.msmtprc?
the password can only be used by that app (i.e. having that password does not, IIRC, allow login to gmail, only access to the emails themselves
I do completely see why it would make sense to have different passwords for different google services, but I could have simply offered different passwords for different google services instead of this 2F/app-password weirdness, yesno? It's not like I could not just spoof the app user agent with random tools - I can use that password with whatever I want.
And you can cut off access to app passwords if you lose a device or find it's compromised.
... by simply altering the password(s) - I might have somewhen passed the global password into that device for some reason anyway. And I probably just lost sth. that's logged into google entirely (so best thing is to remote-kill the device)
Sorry, this still looks a hell lot like fake-security to me (from what I've heard so far) - I just compromise another phone number (for it's not two-factor if I use the same phone for login and sms confirmation)
Offline
Then why should I pass google my phone number to activate this?
Sorry, this still looks a hell lot like fake-security to me (from what I've heard so far) - I just compromise another phone number (for it's not two-factor if I use the same phone for login and sms confirmation)
You're conflating 2-factor and app passwords. 2-factor requires a phone number (or google authenticator, or a physical tag) because the basic idea is 'something you know' + 'something you have' being safer than just 'something you know' (password).
The whole point is that having a password stolen does not compromise security. If someone steals your phone, they have the 'something' (which is your simcard, not your phone per se), which you can recover from your telco. They do not have your password hence your security is not compromised. If someone steals your password via keylogger, they do not have your simcard or phone and hence the system is not compromised.
... like in ~/.msmtprc
I do completely see why it would make sense to have different passwords for different google services, but I could have simply offered different passwords for different google services instead of this 2F/app-password weirdness, yesno? It's not like I could not just spoof the app user agent with random tools - I can use that password with whatever I want.
If you have your plain text password in any text file, you should love app-specific passwords. If it's an app specific password then compromising this does not compromise the whole system, as it does not allow access to anything else than you initially allowed it for.
ngoonee wrote:And you can cut off access to app passwords if you lose a device or find it's compromised.
... by simply altering the password(s) - I might have somewhen passed the global password into that device for some reason anyway. And I probably just lost sth. that's logged into google entirely (so best thing is to remote-kill the device)
Your password is not saved in plaintext except with crappy apps and crappy setups. And remote-kill won't help you if it is, since the first thing an attacker will do is change your password, so you have now lost access to the system. You can regain it with some communication with google, but good luck in the meantime if you also use that account for banking etc.
2-factor is about as far from 'fake security' as can be, compared to relying on a single password. App-specific passwords are less secure, but using them is still better than a global password for the service.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
I took the 2F/apppw boding from https://wiki.archlinux.org/index.php/Ms … ctionality
2-factor is about as far from 'fake security' as can be
I didn't claim otherwise - I'm still trying to figure what the "app password" is good for.
A system which allows me to use different passwords for google, gmail, youtube ... would be great, but as it's been described to me so far (or at least as I understood it) i'd have to activate 2F *also* in order to have individual passwords for individual user agents, which would be just illusion or better security (or usability)
And I'd certainly not want to use actual 2F authentication w/ msmtp or mutt or something, because no sane being enters a password everytime sending a mail ;-)
Offline
A quick question:
your DNS? Once I used Google ones Thunderbird began working.
Offline