EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 26 Oct 2019, 06:46 AM   #1
xyzzy
Essential Contributor
 
Join Date: May 2018
Posts: 474
Question: Does POP/IMAP/SMTP protocol include info about client?

I have always thought that the POP/IMAP/SMTP protocol does not include any identification about which email client is being used. When I look at the exchange log in my Thunderbird I don't see anything that says "I am Thunderbird". Well at least I didn't notice anything.

But some services seem to know which client is being used. For example, I've read that Thunderbird won't work on Yahoo with OAuth2 authorization since yahoo considers Thunderbird a less secure app. How could yahoo know that Thunderbird is being used if the protocols didn't identify the app?

Just curious because maybe I've been wrong about the identification all these years thinking there is no need for the servers to know which client so long as the proper protocols were followed.

Last edited by xyzzy : 26 Oct 2019 at 06:47 AM. Reason: title mispelled
xyzzy is offline   Reply With Quote

Old 27 Oct 2019, 11:57 PM   #2
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 483
Before a client can request stuff from a server it has to login to that server. There's various different ways to do that, with different levels of security and some servers may insist that you use a more-secure method. If a client does not know how to provide the right sequence of answers to prompts from the server it can't use that method of logging-in.

So in this case, older versions of Thunderbird had not been programmed to know how to negotiate a secure login using the Q&A that is required for OAuth2.

I'm not a Thunderbird user, but Googling suggests that recent versions of TB do support this.
JeremyNicoll is offline   Reply With Quote
Old 28 Oct 2019, 02:02 AM   #3
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
This looks like an explanation:

https://support.mozilla.org/en-US/questions/1214967

Quote:
Thunderbird CAN NOT use the oAuth2.0 authentication until Yahoo ar prepared to issue tokens for mail applications to use. So really we have tried. Yahoo do not appear interested, so I suggest you enable less secure apps or move to Google where oAuth2.0 has been working since Thunderbird 38 because they actually issue the application tokens.
SideshowBob is offline   Reply With Quote
Old 28 Oct 2019, 04:48 AM   #4
xyzzy
Essential Contributor
 
Join Date: May 2018
Posts: 474
I've seen those posts about TB. So, in general, it's just the info sequence exchanged during authentication as opposed to anything sent that explicitly says "I am Thunderbird" (or I am Outlook, etc.). That's what I suspected but thanks for the confirmation.

What caused me to finally ask this is something that came up in the ATT Forums where, for a few weeks (?), people with Outlook (maybe only recent versions) configured as IMAP were seeing stuff disappearing in their inbox (some say right before their eyes). Note, att uses yahoo as their email service provider.

It was only Outlook users and they claimed no changes were made at their end although some had switched to OAuth2 or application passwords (which Att calls a "secure mail key") authentication. They also said there was also no software updates to Outlook.

This made me wonder how Outlook IMAP users could be the only ones singled out. I don't believe the problem occurred with POP. I have a test IMAP setup in my Thunderbird (secure mail key authentication - mine's too old to use OAuth2 -- and test setup since I don't use att/yahoo as my real ESP) and saw no such problems. And I didn't see reports from users with other email clients either.

At any rate suddenly all their missing stuff reappeared a day or two ago. Whether att/yahoo restored the stuff or something else was done at their end no one will ever know. Att/yahoo will never say or admit there was ever any problem. They never do.

Thanks.
xyzzy is offline   Reply With Quote
Old 28 Oct 2019, 08:15 AM   #5
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
Quote:
Originally Posted by xyzzy View Post
I've seen those posts about TB. So, in general, it's just the info sequence exchanged during authentication as opposed to anything sent that explicitly says "I am Thunderbird" (or I am Outlook, etc.). That's what I suspected but thanks for the confirmation.
It's not necessarily anything like that. IMAP is complicated, there are different ways to do the same thing even in basic IMAP. There are optional extensions supported by only some clients. Servers may have support to work around bugs in major clients. So it's possible outlook could trigger a bug that others avoid. Or it could involve a bug in Outlook.
SideshowBob is offline   Reply With Quote
Old 29 Oct 2019, 10:36 AM   #6
emoore
Essential Contributor
 
Join Date: Apr 2002
Posts: 280
Quote:
Originally Posted by xyzzy View Post
I have always thought that the POP/IMAP/SMTP protocol does not include any identification about which email client is being used. When I look at the exchange log in my Thunderbird I don't see anything that says "I am Thunderbird". Well at least I didn't notice anything.
There is a optional ID extension to the IMAP protocol. I looked in a imap log file I created using version 68.0 of Thunderbird and it contains:

ID ("name" "Thunderbird" "version" "68.0")

It sent that to the IMAP server to identify what the email client was. However, I don't think that command is needed for OAuth2 support.

IMAP also supports a CAPABILITY command which a client can send to the server to request what capabilities it supports. It returns various keywords. I believe AUTH=XOAUTH2 is used to identify that the IMAP server supports OAuth2. The email client has to send a AUTHENTICATE XOAUTH2 command that contains a OAuth2 token to the server to login to the users account, if the IMAP account is configured to use OAuth2 for authentication.

When you add a email account that uses OAuth2 you get a browser popup that requests you enter your username and password and confirm that you want Thunderbird to be able to access the mailbox. If it succeeds it returns a token, which is saved and used whenever Thunderbird logs you in to that email provider. I assume that if the server is not configured to support Thunderbird, the attempt will fail. If that's true that would prevent any random email client from using OAuth2 with a email provider, they have to get the email provider to register their email client first.

OAuth 2 providers typically issue the developers a identifier for their application and some secret/password. These are used to check if a call was really issued by your application. I'm unsure exactly when they're passed to the server but its over a secure connection.

The POP3 and SMTP protocols use a AUTH, rather than a AUTHENTICATE command. But I suspect they work basically the same way.

https://developers.google.com/gmail/...auth2-protocol , https://developer.yahoo.com/oauth2/guide/?guccounter=1 and https://stackoverflow.com/questions/...onsumer-secret has more details.
emoore is offline   Reply With Quote
Old 29 Oct 2019, 06:43 PM   #7
xyzzy
Essential Contributor
 
Join Date: May 2018
Posts: 474
Good info. Thanks.
xyzzy is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:45 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy