A strange thing happened a couple of days ago. I glanced at my phone to see a message displayed by the e-mail app, which uses IMAP, to the effect that I would need to re-enter the password for one of my BT e-mail accounts. I did this several times but to no avail. When I returned home and attempted to download e-mail from the account via POP3 to my Thunderbird client (version 68.10.0 (64-bit)) I could not do so. I then attempted to log in via the web, and again could not do so.
I therefore decided that I had no option but to report the problem to BT. After being cut off by someone who, after initially sounding knowledgeable and concerned, announced that he would need to transfer me to the e-mail team, a second call was answered promptly by someone who knew what they were doing. After being taken through some security checks I was then guided through an online process that involved entering some data to authenticate me - I believe both at this point and henceforth should this be necessary - and which was then asked to enter a new password.
I asked the agent why this had been necessary, and she said that if suspicious activity is detected, BT will block access to the e-mail account for "your own protection". She added that using a new device, or attempting to access e-mail from a new location could result in one being locked out. This seems odd, and a bit silly, as well as being immensely inconvenient, given that most people use a mobile device to access e-mail at least some of the time. Furthermore I hadn't done anything out of the ordinary.
Anyway, that wasn't the end of it. While IMAP on the phone worked again as soon as I entered the new password, and POP3 on Thunderbird worked after only a relatively small amount of fiddling, making SMTP work again proved to be very difficult. Some serious googling revealed some strange aspects of how Thunderbird might store passwords, but in fact the problem arose before the server requested a password from the client. With the help of Google I was eventually able to decipher the meaning of a cryptic error message issued by Thunderbird and realised that the client wasn't connecting to the server. Further investigation revealed that the Connection security parameter had to be set to STARTTLS, and yet I am almost certain that prior to the commencement of this debacle the required value of the parameter was SSL/TLS, and that is what I had previously set it to.
I'm therefore wondering whether BT Mail changed the Connection Security required by clients and if it was this that led to me being blocked and being put through the mill in order to regain access. If so, couldn't the change simply have been announced and handled in a controlled way without loss of service? Has anyone else had a similar problem?
Thanks. However that makes it seem even more odd that I needed to set a value of STARTTLS in order to be able to send e-mails over SMTP, and that things are working now with a value of STARTTLS.
While stating 'not STARTTLS' the link doesn't give details of the consequences of disobeying, but I'd assume that sending wouldn't work, rather than that it works, though with some undermining of security.
Anyway, I'll perform some tests sometime in the next couple of days and post back if I have anything to add.
I've done a few quick tests and found that, certainly in respect of end user functionality, within Thunderbird:
POP3 works with the Connection security parameter set to either 'SSL/TLS' or 'None'
SMTP works with the Connection security parameter set to either 'SSL/TLS', 'STARTTLS' or 'None'
Hence the directive within the link kindly provided to avoid STARTTLS when configuring SMTP on an e-mail client appears, from a purely functional point of view, to be unwarranted. Furthermore, if its use weakens security it seems odd that this is merely deprecated, rather than the functionality simply not being supported on the mail servers.
I will however admit to not having much knowledge about this field.