Thunderbird and OAuth

[tb]

I am using Thunderbird 68.1.0 (64-bit) for Windows.

AT&T just sent out a memo stating that in the near future I will need
to use an email client that uses Open Authentication (OAuth). They
also state that Thunderbird is not OAuth compatible...

Is there an add-on that would make Thunderbird compatible? Any other
way to work around this issue?

--
tb

[dillinger]

Don't know about AT&T but I can use both Gmail and Yahoo with OAuth2.
No extension needed, shouldn't be a problem.

[Ron K.]

TB supports the Oauth protocol and has for over two years. It was added
after Gmail went to Oauth for Gmail IMAP mail.

--
Ron K.

[Ron K.]

On 9/19/2019 1:01 PM, KenW wrote:

> I was wondering why I did not have OAuth2. I use POP3.
>
POP3 is consdered an obsolete mail protocal because it does not support
encryption for sending mail over the internet.

--
Ron K.

[Gary Curtin]

>>POP3 is consdered an obsolete mail protocal because it does not support
>>encryption for sending mail over the internet.
>

POP3 is not used to send messages, so it can send neither encrypted nor
unencrypted messages.

[tb]

So there is nothing in particular that I need to do with Thunderbird in
order to get OAuth to work with my AT&T email account?

--
tb

[Onno Ekker]

> On 19 Sep 2019, at 19:41, Ron K. <ronki...@gmail.com> wrote:
>
>> On 9/19/2019 1:01 PM, KenW wrote:
>> On Thu, 19 Sep 2019 11:48:03 -0400, "Ron K." <ronki...@gmail.com>
>> wrote:

>> I was wondering why I did not have OAuth2. I use POP3.

> POP3 is consdered an obsolete mail protocal because it does not support encryption for sending mail over the internet.
>

> --
> Ron K.

Sorry but POP3 is for receiving only (as is IMAP). SMTP is for sending.

So saying that POP3 is obsolete because it can’t send encrypted is nonsense.

Onno

[John McGaw]

So true. Another complication in the OP's response to AT&T's message is
that OAuth only seems to apply to IMAP. With my setup upsing SMTP and POP3,
TB does not offer the OAuth option. I'm going to try to contact AT&T/Yahoo
and try to find out what _I'm_ supposed to do but in the past trying to get
any help from them has been futile.

[Ron K.]

I was reffering to the transport of mail messages. I am aware that it is
a mail receiving protocol.

--
Ron K.

[Ron K.]

On 9/19/2019 5:12 PM, Onno Ekker wrote:
>
>

[Chris Ilias]

Hi tb,
From what I've seen, OAuth support is per-ISP. What I mean by that is...
* For Gmail, OAuth2 support was added in Thunderbird 38.
* For Yahoo and AOL, OAuth2 support was added in Thunderbird 60.
There are separate enhancement requests for other ISPs as well.

Despite OAuth support being available for Gmail, AT&T's claim may be
correct.

But I'm not familiar with AT&T email, so I'm going to stop short of
claiming it is. :)


--
<https://ilias.ca/links>
Mailing list/Newsgroup moderator

[Gary Curtin]

>I was reffering to the transport of mail messages. I am aware that it is a mail receiving protocol.
>

If somebody sends you an encrypted message, it is irrelevant whether you
are using POP3 or IMAP or EWS to receive it. It is still encrypted and
you can properly receive it.

Maybe you need to recheck your source Ron, because saying either that
POP3 is obsolete or that it doesn't support receiving encrypted messages
is rubbish.

[William Dorsey]

AT&T's email service is a front end of Yahoo Mail, but Yahoo Mail is not requiring the same procedure as AT&T.

I am pasting here the email sent by AT&T for clients that (at this time) use/require OAuth:

Hi AT&T Yahoo Mail member,

Good news! There’s a new way to set up your AT&T email account in email apps that will keep your information even more secure. Please update or upgrade your email apps IMMEDIATELY. Failure to do so will interrupt your access to your email account.

Learn how to update your settings and apps.

Thanks for choosing us,
AT&T

THE "Learn how":

Use OAuth or secure mail key for email apps 

We’re enhancing the security of AT&T email. Soon you’ll have to use either OAuth or a secure mail key to get your AT&T email through an email app.

DETAILED INFO

Learn how to access your email in a more secure way

After our security updates, you’ll have 2 ways to view and manage your email in an app: 

• (Recommended) Use an email app that encrypts your username and password through technology called Open Authentication, or Oauth. Get step-by-step instructions on how to set up or update your email account in several popular email apps, using our Troubleshoot & Resolve Tool.
• Create a secure mail key to sign in to email apps that don’t use OAuth.

Or, you can always use a browser to sign in directly to your AT&T email at att.net, without using an email program or app. 

This security upgrade is for your AT&T email access only. It won’t affect any of your other AT&T products or services.

Show less

Email access with OAuth and secure mail keys

Access AT&T email with an email app that uses OAuth

If you’re like most people, you have email apps that let you read and manage email on your computer and mobile devices. For your security, we suggest you only use email apps with an email technology known as Open Authentication or OAuth. OAuth encrypts your username and password to protect your info from hackers and fraudsters.

Device & operating system (OS)	Apps and programs that use OAuth
iPhones & iPads running iOS 9.0 and above	Apple Mail Outlook Mobile Yahoo Mail app
Android devices running Lollipop/5.0 or above	Gmail  Outlook Mobile  Yahoo Mail app
Mac computer running OS 10.11/El Capitan or above	Apple Mail
PC running Windows 10	Windows Mail
Email app not listed? Here’s a quick way to find out if your email app uses OAuth. Start setting up a new email account in your app. Your app may offer you a list of email providers that includes Yahoo. If it does, your email app is OAuth compatible. Be sure to select Yahoo as your provider. You’re all set!

Non-OAuth compatible email apps

• Outlook 2010, 2013, 2016
• Mozilla Thunderbird
• Windows Mail on personal computers running Windows 8 or older
• Apple Mail/Mac Mail on macOS 10.10/Yosemite or older

We suggest you switch to an email app that has OAuth. Get step-by-step instructions on how to set up or update your email account in several popular email apps, using our Troubleshoot & Resolve Tool.

Access AT&T email through an email app using a secure mail key

If you prefer to use an email app that isn’t compatible with OAuth, you’ll have to create a special code called a secure mail key. You’ll use this secure mail key instead of your AT&T password when you set up an email app.

Learn how to create a secure mail key

Access AT&T email at att.net 

You can always use your regular password to access your AT&T email at att.net through a Web browser.

Show less

More info

Multiple devices using different email apps

If you access your AT&T email on multiple email apps across several devices, you’ll have to check each email app you use on every device. For example, you may use Outlook Mail on a laptop, Gmail on a smartphone, and Apple Mail on a tablet. Each device must use either an OAuth app or your secure mail key.

Email aliases and disposable email addresses 

You don’t need a secure mail key for an email alias or disposable email address that goes with your AT&T email account. That’s because alias and disposable email addresses use the same password as the main email address it’s tied to.

Note: If your email address ends with @yahoo.com, be sure to verify your account status with Yahoo.

Show more

AND FINALLY:

Create a secure mail key

Learn how to create a secure mail key from your mobile device, tablet, or computer.

Have your User ID and password ready to sign in to myAT&T.

1. Go to Profile > Sign-in info.
2. Select the email account that you want to get a secure mail key for. (You’ll find a drop-down menu at the top if you have multiple accounts.) 
3. Scroll to Secure mail key and select Manage secure mail key.
4. If you have more than one email address, select the one you want to use.
5. Select Add secure mail key.
6. Enter a nickname for the secure mail key to make it easier to recognize.
7. Select Create secure mail key.
8. Select Copy secure mail key to clipboard. (Jot down your secure mail key, so you have it handy if you have to update an email app on several devices.)
• For security purposes, the secure mail key only shows until you select OK. 
• If you lose or forget the secure mail key, you can create new secure mail keys as needed.
• ATT Dorse: cltckmipyrlanpfa
9. Select OK.
10. Go to your preferred email app and replace the existing password with your secure mail key. (For an IMAP account, delete the existing password for both the IMAP and SMTP servers and replace them with your secure mail key.)

[dillinger]

I don't think there is anything you can do, except hope it works and
file a bug if it doesn't. It may work, or not, see Chris' answer.

[John McGaw]

Well, AT&T gave up on running their own email some time back and contracted
with Yahoo to handle everything. For example my incoming mail server is
"pop.att.yahoo.com". All I can say about the OAuth situation is that it is
not offered in TB anywhere I can find but I was able to use the alternate
(and decidedly odd) "security key" setup that AT&T offered in their scary
email to users, at least on my desktop which does nothing but offer a
_long_ string of confusing lower-case letters heavy on "pqy-types". I still
haven't been able to get it working on the GMail program on my Pixel 3 but
that is a fight for another day...

[Gary Curtin]

On 21/09/2019 14:58, John McGaw wrote:

All I can say about the OAuth situation is that it is not offered in TB anywhere I can find

Go to Options > Account Settings. Click on your account > Server Settings > Security Settings > Authentication method.

[Gary Curtin]

On 21/09/2019 14:58, John McGaw wrote:

my incoming mail server is "pop.att.yahoo.com"

Missed that. Sorry. Oauth is not available for POP3, maybe that is why you can't find it.

[Nobody]

On Sat, 21 Sep 2019 15:24:41 +0200, Gary Curtin <gary....@gmx.ie>
wrote:

Out of curiosity, I looked at my settings (though my ISP hasn't asked
for anything special), and for IMAP 'OAuth2' is an option... but isn't
offered for POP.

Win 10 TB 60.9.0

[Gary Curtin]

On 21/09/2019 17:23, Nobody wrote:

Out of curiosity, I looked at my settings (though my ISP hasn't asked
for anything special), and for IMAP 'OAuth2' is an option... but isn't
offered for POP.

While I previously comment that Oauth is not an option for POP3, I have since spent the afternoon reading up on this, and my comment is just rubbish.

Oauth apparently can be used with POP3 IF the provider supports it. If the provider does not support it, it will not be listed in Thunderbird as an option. Maybe someone can confirm that.