Thunderbird version 3 tries to make things easier for users by enabling automatic configuration of the connection to their mail servers. Users provide their email account, user name and password, and then Thunderbird queries a database to find connection information for incoming and outgoing mail servers.

This page gives instruction on how to add Internet Service Provider (ISP) configuration data to the database. It also describes the security mechanisms that prevent malicious entries in the ISP database that could put users at risk.

If you are trying to configure Thunderbird to access to account, see Automatic Account Configuration for instructions. See Autoconfiguration in Thunderbird on the Mozilla Developer Center for more detailed technical information about ISPDB. See Thunderbird's tb-enterprise mailing list and resources for more information about deploying Thunderbird within large organizations.

Table Of Contents

• How are ISP database records added and how are they validated to ensure that they are legitimate?
• Can there be multiple different sets of configuration data for a single domain?
• Is it possible to spoof the ISP registration process for the purpose of stealing mail account user names and passwords?
• How is account information used when Thunderbird obtains server information?
• I want my users to use our own corporate configuration file when they add an email account in Thunderbird.
• I don't want Thunderbird to connect to the ISP database, and I don't have a configuration file.

How are ISP database records added and how are they validated to ensure that they are legitimate?

ISP data is submitted to the Thunderbird team via a web form located at http://ispdb.mozillamessaging.com/add/. Anyone can access this form and review or submit configuration data. (To see a list of the ISPs that have already been submitted, see http://ispdb.mozillamessaging.com/list. Click on an entry to view the status of a submission.)

To make a full submission, create a Bugzilla entry with a patch from the Subversion (svn) source code repository. While this is a complicated process, it is very helpful to the Thunderbird team. The more steps you can complete the better.

To submit ISP data:

1. Submit the ISP connection information on the form located at http://ispdb.mozillamessaging.com/add/. The form fields are self-explanatory except for the "Username formula" field, which accepts the following values:

• %EMAILADDRESS% (full email address of the user, usually entered by the user)
• %EMAILLOCALPART% (email address, part before @)

1. View the list of submitted contributions at http://ispdb.mozillamessaging.com/list. Click on your entry.
2. Click on the link to view XML data.
3. Save the XML data to a file.
4. Create a bug in Bugzilla and attach a patch that shows the changes to the source tree that are required. See http://bugzilla.mozilla.org/show_bug.cgi?id=536546 for an example of how to create the bug. To create a patch:
   1. Check out the source using the command "svn co".
   2. Use the "svn add" command to add the file to your local version of the repository.
   3. Use the "svn diff" command (piped to a file) to create a patch that will be attached to the Bugzilla entry and reviewed by the Thunderbird team.

Two Thunderbird team members will verify the configuration, using both manual inspection and a set of automated sanity checks. For example, the automated sanity checks will report if the mail servers aren't in the same domain as the email address. The reviewer can ignore the complaint, but would need a justification from the ISP regarding why their configuration is non-standard.

Can there be multiple different sets of configuration data for a single domain?

Yes. For example, you may have some users who are on an internal network, authenticate when they log in and use unauthenticated SMTP. Other users access the mail servers from an external location and need to authenticate when they access their mail account.

As of Thunderbird 3.1, before checking the ISP database, Thunderbird checks for domain configuration files at the following locations:

• http://autoconfig.<domain>/mail/config-v1.1.xml?emailaddress=<address>
• http://<domain>/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=<address> .

If one of these files is found and it contains configuration settings, Thunderbird will use these settings. You should store the configuration data for internal users in one of these files and make the files available only to users within the network. Alternatively, could put a CGI script at either of those URLs and return completely different data per address.

Is it possible to spoof the ISP registration process for the purpose of stealing mail account user names and passwords?

It is conceivable, but would be difficult. The attacker would have to compromise three security checks:

• the automated check of the validity of the information that was submitted via the web form
• the manual check in which two people analyze the validity of the information submitted via the web form
• the user's validation of the server domains, required before they create their account

How is account information used when Thunderbird obtains server information?

The email address and password are not transmitted when Thunderbird initially queries the ISP database looking for server configuration information. Only the domain name is used to query for incoming and outgoing hosts. When the query is complete, Thunderbird displays the incoming and outgoing servers plus information about the connection. After the user validates (and, optionally, manually alters) the server information, he or she clicks the Create Account button. At this point Thunderbird sends the user's email address and password to the ISP's mail server to verify their validity.

I want my users to use our own corporate configuration file when they add an email account in Thunderbird.

You can use the hidden preference "mailnews.auto_config_url" to specify a website (under your control) that has the configuration data for the domains the user should be accessing. (Click Tools | Options | Advanced | General | Config Editor (Windows) or Preferences | Advanced | General | Config Editor (Mac and Linux) to access hidden preferences.) Thunderbird will append the hostname to the URL (for example "http://example.com/foo.org") and use configuration data from that location.

The server-connection configiguration file format is documented at: http://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat.

I don't want Thunderbird to connect to the ISP database, and I don't have a configuration file.

Set the "mailnews.auto_config_url" preference (described above) to an empty string. This will prevent Thunderbird from contacting https://live.mozillamessaging.com/autoconfig/ (but it will still probe the host when the configuration isn't found).

If Thunderbird doesn't find configuration information, it tests for the existence of common defaults (such as "imap" and "pop" prefixes to the domain name and listeners on standard ports). If the defaults don't work, you must manually configure the account.