If you're on a Windows box, the most likely cause for this kind of nonsense is antivirus software gone wrong.

Quite a lot of antivirus vendors include a network proxy component that intercepts web and mail connections (including mounting man-in-the-middle attacks against the encrypted versions of these) so it can scan for and block malware before it even reaches the browser or email client, and these often cause far more problems than they could possible solve.

Antivirus suites also usually update themselves periodically and silently, and quite often those updates get overzealous and break things that worked just fine before they arrived.

If you're using Windows 10 or 11 then there's already a competent antimalware suite (Defender) baked into the OS, and if you have any kind of always-on third-party antivirus suite (from e.g. Norton, Trend, McAfee, AVG, Avast...) installed as well, then your best course is to uninstall that, reboot, and then re-enable Defender in the Windows Security Center if the third party uninstaller has been rude enough not to do that for you.

This would still be advisable even if you weren't having IMAP issues, and leaving all third party AV removed remains your best course even if doing that didn't fix your IMAP issues.
posted by flabdablet at 8:58 AM on September 22, 2022

The only fix I can in all conscience recommend is installing an OS for which up-to-date security patches are still available, which Windows 7 has not been for over two years at this point.

Yes, Windows 10 is ugly as sin and contains unconscionable amounts of irritating MS advertising and privacy intrusion. Yes, the upgrade treadmill is a relentless and horrible thing in general. But any hardware that runs 7 will run 10 equally smoothly despite what the fashionistas will tell you about the supposed need for massive RAM upgrades.

If the false sense of security you get from running something that purports to detect malware on top of an operating system whose now permanently exploitable flaws have been well known for years is enough for you - and it absolutely should not be - then the combination of the Windows Defender anti-spyware/anti-adware that's already part of Windows 7 and the downloadable Microsoft Security Essentials antivirus suite is pretty much the same as the Defender anti-malware that comes baked into 10. And even though the underlying OS is not getting security updates any more, last time I looked Windows Security Essentials still was.

It still won't keep you safe online (then again, neither will whatever bogus third-party AV you're running instead) but at least it will probably not spontaneously fuck up your IMAP connections just for shits and giggles.
posted by flabdablet at 9:42 AM on September 22, 2022

If it's specifically Gmail, have you looked into "less secure app access"? Google may be preventing you from connecting, due to the version of Thunderbird not using modern security to connect.
posted by AzraelBrown at 11:25 AM on September 22, 2022 [1 favorite]

I'm still using an ancient Windows 7 laptop and recently had to go through setting up 2-factor authentication on my various gmail accounts on Thunderbird.
posted by essexjan at 11:59 AM on September 22, 2022

Generally when authentication failures are the issue, Thunderbird will say so. But it's complaining about being unable to establish connections, which means that the failure is happening before authentication has even had a chance to be tested, let alone fail.

The most likely place for this kind of failure to occur is in something that's inserted itself into the networking stack between the application and Gmail's servers and is pretending to be Gmail's servers as far as Thunderbird is concerned. This is exactly the behaviour I'd expect from a man-in-the-middle "protection" proxy that wants to scan incoming mails and/or web traffic for known nasties.

The only way a man-in-the-middle proxy can get access to the data flowing through an SSL- or TLS-secured connection, which is what Thunderbird needs to use to talk to Gmail, is by spoofing Google's SSL certificates. The only way such spoofing can succeed is if there's a root certificate in the collection known to Thunderbird that authorizes it. Antivirus suites that offer this kind of "protection" will therefore stuff just such a root certificate into all the local certificate stores as part of their installation process.

All kinds of things can go wrong with this ("blanket" spoofing certs like this offer rich opportunities for exploitation, for a start) but one particularly likely failure mode is for such a root certificate to expire. You might wonder why a MITM vendor would actually specify an expiry date in their SSL spoofing root cert, but I've seen them do it, presumably to force customers to keep their antivirus subscriptions up to date if they want their machines to keep working. Yes, this is unconscionable, but these are antivirus vendors we're talking about. If they had scruples, they would have removed themselves from the consumer AV marketplace as soon as MS started baking competent AV into their OS by default.

When SSL/TLS can't authenticate the certificate presented by the server it's trying to connect to, which would be the consequence of the MITM vendor's spoofing cert having expired, the connection simply drops before any user data can flow over it. This would fit exactly with the pattern reported in the question.
posted by flabdablet at 12:01 PM on September 22, 2022

Is this for a @gmail.com email address, or for a privately owned domain that was using Google for email hosting? I ask because Google flipped the switch last week that murdered their free tier of G-Suite hosting, which is the thing that let you use Gmail for your own domain.
posted by qxntpqbbbqxl at 7:17 PM on September 22, 2022

I have a laptop I bought in 2011, so probably with Windows 7. It's totally worthless with Windows 10.
posted by SemiSalt at 6:20 PM on September 23, 2022

This thread is closed to new comments.