In this article. Learn how to use OAuth authentication to connect with IMAP, POP or SMTP protocols and access email data for Office 365 users. OAuth2 support for IMAP, POP, SMTP protocols as described below is supported for both Microsoft 365 (which includes Office on the web) and Outlook.com users. Non-OAuth compatible email apps. Outlook 2010, 2013, 2016; Mozilla Thunderbird; Windows Mail on personal computers running Windows 8 or older; Apple Mail/Mac Mail on macOS 10.10/Yosemite or older; We suggest you switch to an email app that has OAuth.
From MozillaZine Knowledge Base
- This article was written for Thunderbird but also applies to Mozilla Suite / SeaMonkey (though some menu sequences may differ).
Gmail provides free webmail accounts and POP, IMAP and SMTP servers. To add an account in Thunderbird you need to have a Gmail webmail account, create either a POP or IMAP account in Thunderbird and then enable it in Gmail settings using a browser.
You can create a new account by pressing the Add Mail Account button in Tools -> Account Settings -> Account Actions. All you need to know is your email address and password, it will configure the account settings for you. It defaults to a IMAP account but you can tell it to use a POP account instead using a radio button. If you don't want it to automatically configure your account press the 'Manual Config' button in the second screen of 'Mail Account Setup'.
After you create the POP/IMAP account in Thunderbird enable using the POP or IMAP server with your account by:
- Logging into your Gmail webmail account using a browser.
- If you're using a POP account, click on 'Settings -> Forwarding and POP/IMAP -> POP Download:' and choose either 'Enable POP for all mail (even mail that's already been downloaded)' or 'Enable POP only for mail that arrives from now on'.
- If you're using an IMAP account, click on 'Settings -> Forwarding and POP/IMAP ->Enable IMAP'
- Click the 'Save Changes' button.
If you're using the same Gmail POP account with multiple email clients you need to enable recent mode in order to let each email client access all of the messages in that account. You can do that by replacing username@gmail.com with recent:username@gmail.com as the username in Tools -> Account Settings -> Server Settings.
Using OAuth2 for 'secure authentication' will popup a window for your password using your systems default browser. It requires cookies to be enabled for google.com. Cookies are normally enabled by default (Tools -> Privacy -> Accept cookies from web site is checked, and 'Keep until' is set to 'until they expire'). OAuth2 creates a token that will be used as if it was a stored password, by the password wizard. You can use a normal password instead for 'secure authentication'. However, unless you log into https://www.google.com/settings/security/lesssecureapps using a browser and select Allow to let less secure apps access your Google account Gmail may return an error when you try to login if you haven't had the Gmail account for at least 90 days. They have changed the error message several times. Currently it should look something like: 'Sending of password for user XYZ did not succeed. Mail server pop.gmail.com responded: Web login required: https://support.google.com/mail/answer/78754'. [1]
Using a password is just as secure as OAuth2, except for the possibility for somebody who can access your PC to use Tools -> Options -> Security -> Passwords -> Saved Passwords to view your saved password. This is really just an attempt to increase use of OAuth2, which supports their business plan by supporting logging into third party web sites such as Facebook or Twitter without exposing the users password. After a while some other email providers such as Yahoo have started doing the same thing to encourage people to use their apps or webmail (instead of a 3rd party email client).
The account wizard might use googlemail.com instead of gmail.com in the server names. They are equivalent. Gmail was rebranded as Google Mail in Germany, Austria and the United Kingdom. Since 2012 Gmail is branded Gmail in germany
If you use the Gmail SMTP server with a different account it will replace the From: address with your Gmail accounts email address unless you add the email address in the Gmail web page at Setting -> Accounts -> 'Add another email address'
Download suni imaging microsystems driver. Some users are reluctant to use Gmail because it has a reputation for scanning your mail in order to display personalized advertisements. According to this article that practice stopped 2017.
POP
- Type: POP
- Server Name: pop.gmail.com
- User Name: Your FULL email address
- Port: 995 (this should be automatically set when you select SSL/TLS)
- Secure connection: SSL/TLS
- Secure authentication: normal password or OAuth2 . [2][3][4]
IMAP
- Type: IMAP
- Server Name: imap.gmail.com
- User Name: Your FULL email address
- Port: 993 (this should be automatically set when you select SSL)
- Secure connection: SSL/TLS
- Secure authentication: normal password or OAuth2 (recommended)
Set tools -> account settings -> server settings -> advanced -> IMAP server directory to [Gmail] to fix problems with how it lists folders in the folder pane.
SMTP
- Server Name: smtp.gmail.com
- Port: 587 (you could also use port 25 if your ISP doesn't block it)
- Username: Your FULL email address
- Secure connection: STARTTLS
- Secure authentication: normal password or OAuth2 (recommended)
Don't configure Thunderbird to save a copy of any messages you send in tools -> account settings -> copies & folders. Gmail's SMTP server automatically saves a copy of any message you send in the Sent Items folder for you.
The SMTP server also supports using port 465 with SSL/TLS. [5]
Subscriptions
Subscriptions control whether an IMAP folder is visible in the folder pane (and any lists of folders). If it is cluttered with folders you don't normally use, you might want to hide some by unsubscribing them. You won't be notified of new mail in unsubscribed folders.
You can subscribe or unsubscribe a folder by:
- Right click on the Inbox in the folder pane.
- Select Subscribe in the context menu.
- Click on the '>' next to the Inbox to expand the folder list.
- Check any folders you want to make visible (subscribe), uncheck any you want to hide (unsubscribe).
- Press the OK button.
You can also use the Subscribe and Unsubscribe buttons in that menu. If View -> Folders is set to Unified instead of All, right click on the accounts name underneath the (unified) inbox at the top of the folder pane since that view displays the inbox folder differently. Spx service driver download.
All Mail
Gmail IMAP accounts have a All Mail folder which tracks every message. This is an artifact of how Gmail implemented labels, not a Thunderbird quirk. That folder is also used as the archive folder.
Tools -> Account Settings -> Gmail -> Synchronization & Storage -> Advanced is configured to keep a local copy of all IMAP folders on your hard disk. From a performance point of view you may wish to unsubscribe All Mail. (Note: Prior to version 17, being subscribed to All Mail folder doubles the amount of disk space used by Thunderbird to store your Gmail account ,and may cause some problems. Nowever, starting with version 17, with fixed bug 721316 only ONE copy of every newly downloaded message is kept on disk, so there is no need to unsubcribe from a storage point of view.) The safe way to unsubscribe and free the related disk space is:
- Uncheck it in Synchronization & Storage -> Advanced
- Unsubscribe it (see above)
- Press the 'show folder' button in Help -> Troubleshooting Information to view the profile directory using Windows Explorer.
- Exit Thunderbird.
- Go to .ImapMailimap.gmail.com (or .ImapMailimap.googlemail.com if you use the googlemail mail server)
- Delete both 'All Mail.' and 'All Mail.msf'.
- Restart Thunderbird.
If you have multiple Gmail IMAP accounts some of the directories will have a numeric prefix such as imap.gmail-1.com. Look at the 'Local Directory' setting at the bottom of the Tools -> Account Settings -> account_name -> Server Settings (by the browse button) to find the name of that account's directory.
Suddenly can not login in anymore
Gmail routinely blocks logging into a POP account so that they can show you a message. You need to login to webmail using a browser to clear it [6]. Sometimes you can't log in because Gmail thought something suspicious happened, and set a captcha. Thunderbird has no concept of a captcha, you need to login to webmail using a browser to clear it. Similar problems can appear if you use a VPN due to Gmail detecting that your IP address is from a location far from where you normally log in. This can cause security exceptions, and force you to periodically login to google to tell them that the remote login was you.
If you get a popup later on that you have to sign in to the Google account again, and then a 'cookies disabled' web page you need to either enable cookies in Tools -> Options -> Privacy -> Web Content or add an exception for Google. [7]
There have been several reports of a working Gmail IMAP account breaking (can't login anymore) due to the allow less secure apps setting changing to disabled. Its not clear why this occurs, but its not something that Thunderbird can change. [8]
Less Secure Apps
Google is trying to push email clients to either use two factor authentication or OAuth2, rather than simply logging in with POP/IMAP/SMTP using your username/password. They are doing this by gradually increasing the number of times they prevent a email client from logging in with a password, claiming they did that because the email client was not secure enough. This is not limited to Thunderbird, it occurs with almost any email client. It has nothing to do with whether the email client is using the latest version of SSL/TLS or Perfect Forward Secrecy, its strictly an authentication issue. If you run into this your Gmail account may either appear to hang, you get some type of “Password incorrect” error or you get a error message roughly like:
We recently blocked a sign-in attempt to your Google Account [XXXX@gmail.com]. If this was you you can switch to an app made by Google such as Gmail to access your account (recommended) or change your settings at https://www.google.com/settings/security/lesssecureapps so that your account is no longer protected by modern security standards. To learn more, see https://support.google.com/accounts/answer/6009563
If you keep using the same TCP-IP address for your PC/laptop you are usually okay. If you run into this problem log into https://www.google.com/settings/security/lesssecureapps using a browser and select “Allow” to let less secure apps access your Google account. [9]
Why does Google call Thunderbird “less secure”? has some useful comments such as 'OAuth is more secure because it only need to decrypt the keyring (i.e. passwords in plain text) for the very short duration while you authorize the mail agent, this is true whether you do the authentication in browser or if the mail software itself supports inbuilt OAuth authorization.' Bypassing Googles two factor authentication and Google-jacking: A review of Google's 2-Factor Authentication discusses some of the risks of how they implemented two factor authentication.
Confidential Mode
Gmail added a so-called confidential mode to Gmail webmail. It does not use end to end encryption, so Google can still read the contents. It does not use standard email protocols to deliver the message. In a sense the message is never actually delivered. Its stored on Googles servers and you have to read the message in a browser. If you receive one of these messages in Thunderbird the message body will have a 'view your message' link that you have to click on, which will open the message in a browser. There is a optional SMS feature that would require recipients to provide a cell phone number in order to get a SMS passcode. You can also set a expiration date for the message. That doesn't mean it ceases to exist, just that you can't read it anymore.
This is reminiscent of email tracking services that have a message load a remote image from their web server that is too tiny for the user to notice it, to track whether the message was read.
Normally Thunderbird can display a paper clip if there is a external attachment and use MIME Parts On Demand settings to manage whether attachments get loaded (if you don't open them). None of this applies for confidential mode since Thunderbird only sees the message with a link.
See how the new confidential mode works in gmail and Between You, Me, and Google: problems with Googles confidential mode for more information.
Troubleshooting and Gmail quirks
Gmail treats POP and IMAP messages individually and not as a threaded conversation.
Compatibility
- Recent flags on messages are not supported. The Answered flag is not preserved when a message is moved or a label is added to the message [10]
- Only the From, CC, BCC, To, and Subject headers can be searched. All searches are assumed to be words.
- If you exceed 15 connections per account you will get either a 'Too many simultaneous connections' or a 'Account exceeded command or bandwidth limits' error. Typically, an additional connection needed for each folder that you automatically check for new mail for, so this might limit how many folders you can enable for 'when getting new mail for this account, always check this folder' in folder properties. This error can also cause you to be blocked from Gmail for 24 hours. [11][12]
Labels
The IMAP folders correspond to the labels in Gmail's webmail. IMAP folder hierarchy is represented by '/' in Gmail's label. e.g. IMAP subfolder XYZ under ABC is mapped to label of ABC/XYZ(maximum length=40 bytes). However, mapping of IMAP folder to Gmail's folder or label at Web interface is special on some special folders.
- IMAP folder of [Gmail]/All Mail, [Gmail]/Drafts, [Gmail]/Sent Mail, [Gmail]/Spam, [Gmail]/Starred, [Gmail]/Trash
=> Gmail's folder of All Mail, Drafts, Sent mail, Spam, Starred, Trash. - Other IMAP folders such as XYZ under [Gmail]
=> Gmail's label of [Gmail]/XYZ. - Root level IMAP folder of Drafts, Sent, Trash
=> Gmail's label of [Imap]/Drafts, [Imap]/Sent, [Imap]/Trash.
If you look at the All Mail folder([Gmail]/All Mail of IMAP) using Gmails webmail it will label any IMAP messages with the name of the folder. If you delete a message in Thunderbird it simply removes that folder's label from the message. Compacting the folder doesn't remove the message from the All Mail folder([Gmail]/All Mail of IMAP). You need to move it to the Trash or Spam folder([Gmail]/All Mail or [Gmail]/Spam of IMAP) to delete the message from all folders. It's not clear yet if this is also true for Message aging.Moving back of mail in [Gmail]/All Mail of IMAP to any IMAP mail folder(except [Gmail]/Spam) restores all Gmail's label.
A single copy of each message is stored in the account, and if the messages has multiple labels there are pointers to that copy, a change introduced in version 17.0.2 by bug 721316. (Prior to version 17.0.2 a copy of a message is stored for each label. That means if you assign two labels to a message and star it using Gmails webmail it has a copy in two folders named after the label, the All Mail folder, and the Starred folder.) If you copy a message to multiple remote folders (using Thunderbird) it will be marked with the corresponding labels when viewed using Gmail webmail.
If you move a message into the Spam folder, it is treated the same as if you had reported it in Gmail webmail using 'Report Spam'. See How do actions sync in IMAP? on Gmails web site for more information on how it maps things.
Gmail recommends that you do not use [Gmail]/Trash as your Trash folder since Gmail only keeps a single copy of a message with multiple labels. If you delete a message that way you're also telling it to delete the same message from any other folder (label) that has that message. [13][14]Gmail recommends not making Thunderbird move deleted mail into any folder and instead choose 'Just mark it as deleted' from 'When I delete a message' in Account Settings -> Server Settings.
Dots
Dots don't matter on Gmail addresses. If your address is johnsmith@gmail.com email sent to john.smith@gmail.com, jo.hn.sm.ith@gmail.com, j.o.h.n.s.m.i.t.h@gmail.com etc. is sent to your mailbox. This is not just a quirk, it can be used as part of a phishing scam as companies that you give your credit card to usually don't take any precautions against your gmail email address not being unique. The danger is that we teach people about “phishing” due to emails from dodgy email addresses, but we don’t teach people anything about phishing due to emails to dodgy addresses.
Bandwidth Limit
Gmail imposes a bandwidth limit on the POP and IMAP servers. This is undocumented for free accounts. However, the G Suite (commercial version of Gmail) help states you can download up to 2500MB per day from a IMAP server, download 1250MB per day from a POP server, and upload 500MB per day to the IMAP server. These limits are lower than the corresponding limits for webmail. Gmail will silently fail if it reaches these limits. These limits apply to any email client (including Outlook and the OS X Mail app).
Problems
- Gmail periodically re-indexs your mailbox. If you're using a IMAP server its possible deleted messages from your Sent Mail folder might get resurrected when that happens. You can prevent that by setting 'When a message is marked as deleted and expunged from the last visible IMAP folder:' to 'Immediately delete the message forever' in Gmail webmail's 'Forwarding and POP/IMAP' settings. [15]
- If large messages or attachments are truncated, set mail.server.default.fetch_by_chunks = false to work around a size bug in Gmail.
- Gmail has problems with non-ASCII characters in headers. This might occur if they're used in a recipient's email address, folder names or tags. To work around the bugs in Gmail header fields, go to 'Tools -> Options -> Advanced -> General -> Config Editor (button)', right-click anywhere in the list of preferences, select New, select Boolean, copy-paste mail.imap.use_envelope_cmd, and set it to true. [16][17]
- The Gmail list of known IMAP issues mentions that the 'All Mail' folder can have well over 100,000 messages and that some email clients may crash if they try to process a folder with that many messages. Thunderbird doesn't have any known limit on the maximum number of messages in a folder, but most of the attention has been on the maximum size of a folder.
- This forum thread discusses some more quirks. Please check bugs listed in the dependency tree for bug 402793(meta bug) with 'Show Resolved' before opening a bug relevant to Gmail IMAP at bugzilla.mozilla.org.
- If you send a message from your Gmail account to the same Gmail account in Thunderbird, that message will not be downloaded into Thunderbird. The message will, however, appear in your Gmail Inbox if you log into your account using the Gmail web interface. This is not a bug in Thunderbird; it is a quirk in the way Gmail implements POP. If you use IMAP, an e-mail sent to yourself shows up in Inbox, [Gmail]All Mail, and [Gmail]/Sent Mail folders.
- Gmail's SMTP server ignores whatever 'From:' address you might specify using multiple identity support by default and uses your Gmail authenticated address instead. You have to register any other address using Gmail's web interface at Setting -> Accounts -> 'Add another email address' to enable it as 'From:' address. Your authenticated Gmail address is still added as a secondary 'Sender:' header.
- If Thunderbird refuses to use the correct outgoing (SMTP) server, see the 'Troubleshooting' section in this article.
- The Gmail SMTP server now officially supports both STARTTLS (port 587) and SSL/TLS (port 465). Note: Thunderbird 3.0 renamed TLS to STARTTLS and SSL to SSL/TLS.
- Gmail scans attachments for viruses and blocks any that it thinks contains executables. This includes .zip files. You can work around this by changing the filenames to use file extensions it doesn't recognize. However, since that violates their policies you could potentially lose your Gmail account. A better solution might be to use a free file hosting site such as RapidShare, MegaUpload or YouSendit and send a link to the file instead.
Disposable addresses
Gmail supports plus-addressing, a useful way to create a disposable email address. Let's say your email address is JohnSmith@gmail.com and you need to give the xyzzy website an email address. If you give them JohnSmith+xyzzy@gmail.com, it will still be delivered to your inbox, despite the To: header having an extra '+xyzzy'. If somebody starts sending spam to that email address, you could create a message filter that tests for xyzzy in the To: header and automatically delete (or move to the Junk mail folder) those messages when checking for new mail. Some email systems violate RFC 2822 and won't send a message using plus addressing, but it is normally not a problem.
Mail fetcher
Gmail supports a way to periodically fetch email from up to five POP accounts and merge them into your inbox. The POP accounts could be provided by Gmail or another email provider. It works with Thunderbird, but you have to configure mail fetcherusing Gmail webmail.
Two step verification
The Google Account help advocates using two step authentication. That sends a code (a minimum of once a month but ideally every time you log in) to your cell phone that you need to enter when logging in using a browser. However applications such as email clients can't do that. If you configure two step verification you need to either use OAuth2 to authenticate or create an application specific password for Thunderbird that you use instead of the normal password. The application specific password doesn't change when a new code is sent to your cell phone. If you created a application specific password, you use it for a while, and later on its rejected, forcing you to create another one, try deleting all google cookies using Tools -> Options -> Privacy -> Show Cookies, exit and restart Thunderbird. [18]
Two step verification is not needed, and not recommended. Use a strong password, and don't use the same password with other email providers/web sites, instead. However, if you have another email account it is a good idea to set a recovery email address in case you ever forget/lose your password.
Synchronizing contacts
Gmail supports the CardDAV protocol (an address book client/server protocol designed to allow users to access and share contact data on a server). Currently the SoGo connector add-on is the best way to add CardDav support to Thunderbird. However, it has a reputation as being buggy and having poor support. There is a bug report requesting built-in support for CardDAV. The address book is being completely redesigned and will include support for multiple contact providers. Based on this blog post it looks like that will eventually include support for CardDAV. See this forum thread for information on other alternatives. Download usbcamera usb devices driver.
The most popular solution is to use an add-on such as Zindus or Google Contacts to synchronize your address book with Google Contacts.
Gmail does not provide a LDAP server. LDAP is another protocol to access contact data. Thunderbird has built-in support for creating an address book that uses a LDAP server, but no support for modifying its contacts. You used to be able to use GCALDaemon to provide a the equivalent of a Gmail LDAP server, but it used the deprecated GData API, and doesn't work anymore.
Variants
Most people use the free version of Gmail. There is a commercial version of Gmail called G Suite. It used to be called 'Google Apps for Your Domain'. The main difference is that it has higher limits and is designed for companies that want to use their own domain in the email address. There is also another free version of Gmail called Inbox by Gmail that has a alternative user interface that has more of a focus on automatically classifying the content. Its available as a iOS or Android app or webmail (https://inbox.google.com/) . The app appears to be just another front end to a Gmail account, using the same mail servers.
See also
Thunderbird Oauth2 Not Working
External links
- Configure email delivery describes what your admin needs to do to use your own domain with the Gmail mail servers.
- Flat Folder Tree add-on can be used to deal with some of the quirks in the folder hierarchy. Unfortunately it doesn't work with recent versions of Thunderbird.
- Gmail Takeout (download mail as a .zip file)
Bugs
- TB16 Redownloads messages / Constantly bringing folders 'up to date' / horrible IMAP performance effects other email providers but is most frequently reported for Gmail.
- The Log in to Google Talk (XMPP) and Gmail (IMAP/SMTP) using OAuth bug report doesn't mention that a commitment was made at the Toronto summit of 22 active contributors to Thunderbird in October 2014 to add OAuth support for IMAP accounts for Thunderbird 38, due in May 2015. [19]
Oauth2 Thunderbird Login
Skip Over Breadcrumbs and Secondary NavigationConfiguring Mozilla Thunderbird
To set up a new account
Note: These instructions assume you are running a version of Thunderbird 77.0b1 or later which supports OAuth2 modern authentication.
1. The Mail Account Setup dialog box should open the first time you open Thunderbird.
a. If it does not open:
i. Locate the Menu button in the top right corner.
ii. Click Menu > Account Settings..
iii. On the Account Settings page, under Account Actions, click Add Mail Account.
2. In the Mail Account Setup dialog box, enter the following information:
a. Your Name: enter the name you want on the 'From' line in your outgoing messages
b. Email Address: enter your @usf.edu email address
c. Password: enter your @usf.edu email password
d. Make sure the Remember password box is checked
3. Click Configure Manually
4. Enter the following information:
a. Incoming server hostname: outlook.office365.com
b. Outgoing server hostname: outlook.office365.com
c. Username: enter your @usf.edu email address
d. Change the Incoming Port field to 993 and the Outgoing Port field to 587.
e. Change the Incoming SSL field to SSL/TLS and Outgoing SSL field STARTTLS.
5. Once this information is filled in, select Advanced Config and then click OK in the popup.
6. In the Authentication Method dropdown menu, select OAuth2.
7. Select the Outgoing Server (SMTP) section in the left bar, click on your email address and click Edit.
8. In the Authentication Method dropdown menu, select OAuth2.
9. Restart Thunderbird. Once it restarts, it should prompt you to log in and accept MFA unless you have already done so.
To change the settings on an existing account
Thunderbird Oauth2 Support
Note: These instructions assume you are running a version of Thunderbird 77.0b1 or later which supports OAuth2 modern authentication.
1. Open Thunderbird.
2. Locate the Menu button in the top right corner.
3. Click Menu > Account Settings..
4. Click Server Settings under your @usf.edu email.
5. Enter the following information:
a. Server Name: outlook.office365.com
b. Port: 993
c. User Name: your @usf.edu email address
d. Select SSL/TLS from the Connection security dropdown menu
e. Select OAuth2 from the Authentication method dropdown menu
6. Open the Outgoing Server (SMTP) menu. Open the server for your @usf.edu email.
7. Click Edit..
8. Enter the following settings:
a. Server Name: outlook.office365.com
b. Port: 587
c. Select STARTTLS from the Connection security dropdown menu
d. Select OAuth2 from the Authentication method dropdown menu
e. User Name: your @usf.edu email address
9. Click OK.
10. Click the Get Messages button.
11. Enter your @usf.edu email password when prompted. Check the box to Use Password Manager to remember this password and click OK.