Thunderbird encrypted password

jfourlc

Hi!

Mozilla Thunderbird supports a type of password “encrypted password” in place of the classic “normal password”.
I use that feature for my outgoing SMTP server (which is different from my Mailcow server), and when configuring the IMAP server of my account (this time, pointing to Mailcow), I’m getting an error message saying the server doesn’t support encrypted passwords.

Am I missing a setting somewhere to enable this, or is it not supported in Mailcow?
Apologies if this is a stupid question.

mlcwuser

jfourlc or is it not supported in Mailcow?

No, as far as I know, it is not supported, and in my opinion it wouldn’t make sense, since the connection is already protected by Transport Layer Security (TLS/SSL), meaning that everything is transmitted in encrypted form anyway.

Also, as far as I know, encrypted passwords were only ever used by providers with unencrypted POP3/IMAP/SMTP connections. If that’s the case with your SMTP server, I’d look for another provider, because as I understand it, in this scenario only the password is transmitted in encrypted form, while the messages themselves are transferred in plain text.

jfourlc

mlcwuser hey! Thanks for the answer.

In the case of my SMTP provider, the connection is done over TLS as well, the encrypted password part being recommended by their configuration wiki.

mlcwuser

jfourlc I found this Stack Exchange article: https://security.stackexchange.com/questions/198653/security-of-email-smtp-pop-passwords.

I’m no expert, but personally, I don’t know of any major email providers that use this (or have ever used it). So I’d assume it was probably never widely adopted, and certainly not today, since most email providers now use TLS by default, or even exclusively.

With the article above in mind, here’s something to consider:

Even if your provider does use TLS, I would question why they are still relying on this feature, as it could indicate a significant amount of technical debt in their software stack. 😉

But again, that’s just a thought. It might be worth asking the provider what exact method they are using, why they are using it, and what advantages they see in it.

jfourlc

mlcwuser Even if your provider does use TLS, I would question why they are still relying on this feature, as it could indicate a significant amount of technical debt in their software stack. 😉

Hey! Thanks for the link!

The fact that they recommend it might be because they’ve been around forever now (around 1995, if not older), and the docs might be a tad outdated. I’ll touch two words with them.

bagiavyn

mlcwuser That’s a thoughtful and well-reasoned perspective. You raise valid points about modern TLS usage and technical debt, and your suggestion to ask the provider for clarity is both practical and insightful.