While trying to get OAUTH2 working with thunderbird, I tried and documented some things that may still be of interest (even if they didn’t give me the solution for my problem).
If you’re only interested in the solution, you’d better look here.
Otherwise keep reading 😉
Enforce auth type (thunderbird)
So I tried to enforce the missing auth type for preconfigured IMAP/SMTP server. In order to do so you’ll first need to determine their configuration index:
So first you’ll have to search for “mail.smtpserver.smtp*.hostname” to get the right index number for the SMTP server settings, and “mail.server.server*.hostname” for the IMAP server.
You can then change the authMethod to “10” (=OAUTH2, see table below). If this setting is missing for your configuration you may have chosen the default auth setting. In that case you need to create that value first.
| ID | Type |
| 2 | Password, original method (insecure) |
| 3 | Normal password |
| 4 | Encrypted password |
| 5 | Kerberos/GSSAPI |
| 6 | NTLM |
| 7 | TLS Certificate |
| 8 | Any secure method (deprecated) |
| 9 | Any method (insecure) |
| 10 | OAuth2 |
In my case the IMAP server index was 4 and the SMTP server index 2, so here’s the settings I changed/added:
mail.server.server4.authMethod=10
mail.smtpserver.smtp2.authMethod=10
This really changes the authentication type to OAUTH2 in the configuration dialog, however it didn’t have any effect besides that.
Enable thunderbird autoconfiguration
So let’s go for the next idea: Gmail and Microsoft both use a pre-configuration provided by thunderbird, so maybe we’ll need the same thing for using OAUTH2.
Initially I was hoping for thunderbird to probe the SMTP and IMAP server for supported authentication types during setup (as we did manually at the start of this article), however I couldn’t see any related connections to the mail servers during setup. So I looks like we need to provide that information in a different way.
Autoconfiguration could be the way to go: a config file example is given in the Mozilla Wiki. A global collection of configurations can be found here.
The create config-v1.1.xml file needs to be available at either
https://mydomain.de/.well-known/autoconfig/mail/config-v1.1.xml
or you need to create an autoconfig and/or autodiscovery DNS entry (A or CNAME record) that specifies the webserver serving this file (s. below). It then should be located at
https://autodiscover.mydomain.de/mail/config-v1.1.xml
or
https://autodiscover.mydomain.de/autodiscover/autodiscover.xml
(the last one is based on my web server logs, and wasn’t mentioned in the related docs).
There’s also a SRV record _autodiscover._tcp mentioned:
| Key | Type | Value |
| autoconfig | A / CNAME | autodiscover.mydomain.de |
| autodiscover | A / CNAME | autodiscover.mydomain.de |
| _autodiscover._tcp | SRV | 0 0 443 www.mydomain.de |
While basic settings were taken from that config, OAUTH2 still did not appear as an option in thunderbird
Looking for further options
Some more research and I found this:
OAuth2. Works only on specific hardcoded servers, please see below. Should be added only as second alternative.
And below:
Unfortunately, this […] makes it impossible to support arbitrary OAuth2 servers. That’s why Thunderbird is forced to hardcode the servers that it supports and the respective client keys. That means that you cannot use OAuth2 for your own server. Only the servers listed on OAuth2Providers.jsm will work.
And a little further down:
Implementation note: While Thunderbird supports
<authentication>OAuth2</authentication>, it does not support the<oAuth2>contents (server URL etc).
So the required code to support OAUTH2 seems to be in place, but someone decided that they’ll be only available for some of the “big players”…
The official reason mentioned is the requirement to get valid tokens from the mail providers (which in turn often require some kind of agreement). So there’s effort involved with every (commercial) provider, and that’s why people running their own services cannot use it … what a shame.
Some time later I also found this presentation (German only) from the University of applied sciences Deggendorf which contains a nice wrap-up of OAUTH2. They seem to be running their roundcube installation with OAUTH2 authentication.
They also mention (a 6 year old!) bug report #1602166 (RFE) complaining about this missing feature.
But maybe there’s hope: In this bug report thread there’s also a proposed solution (December 2024) … so maybe thunderbird will get OAUTH2 support sometime (soon?)…
Looks like there’s a solution on the horizon.