Email security

Setting up a new computer, I tried to re-establish my TPG POP3 email on Thunderbird 78.3.1
After about a month of failing to establish a connection and reading everything I could on Help/Support/Community on Whirlpool, Thunderbird & TPG and trying all combinations of Ports, Security, etc the only setting that will work is to disable all security. To do this I have to assume the risk, as per this screen shot.

The issues appears to be with TPG. Their advice for setting up Thunderbird is way out of date and does not work. They don’t seem to be interested in updating that advice from Thunderbird 3 to Thunderbird 78. Thunderbird does not have settings from TPG, and TPG are not providing them (secure settings) to their consumers. Existing customers who found their latest version of TB no longer works with TPG are being advised to change their security level to the lowest setting.
I am not happy agreeing to assume the risk, particularly as I don’t understand the risk, and there would be no need to if TPG fixed their end.


I notice you are trying to use POP3 if I have read your post correctly so if you haven’t tried IMAP try the following:

IMAP using port 993 with SSL/TLS (accept all certificates) for incoming and port 465 outgoing (SMTP) and again SSL/TLS (accepting all certificates again)?

IMAP Ports 143 & 25 are the insecure settings.


I prefer POP3 (messages on my computer) as the IMAP (if I understand TPG) only keeps them for 45 days then deletes. TPG says they support IMAP but users on their Support Community have difficulty getting it to work. I have used POP3 with Thunderbird & TPG for years without a problem.
I tried your suggestion - IMAP using port 993 with SSL/TLS (accept all certificates) for incoming and port 465 outgoing (SMTP) and again SSL/TLS - and get the error message “Thunderbird failed to find the settings for your email account”


Np try without SSL/TLS for those IMAP settings then, and I understand your concerns regarding the keeping of emails.

Ahh found the problem

Manual configuration and in server hostname put for both POP3 and SMTP using ports 995 and 465. SSL/TLS for both and authentication use normal password.


Been there, done that …


Strange as it worked on my Thunderbird with no hiccups using my Id for them. It is the latest version as well.


Seems a common problem, this thread from 2Q2020. Maybe something in it will be helpful? TPG does not seem so concerned because this and other similar topics close with ‘use something else, we do not provide support for third party clients’.


I remember I also had problems with POP3 setup with TPG and used the following which worked at our end…

For your incoming mail server, try and port 110

and outgoing try and port 587

edit: should have also said that the TPG account will need to be manually set up in Thunderbird by going to Tools - Account Settings and then in the Account Actions dropdown, select Add Mail Account. This website may assist.


TGP have issued a “solution” but they want the consumer to assume all risk. The “solution” is:- no security, password transmitted insecurely and the consumer to tick the box that they understand the risk. The alternative is to downgrade to an earlier version of Thunderbird.

What are the risks?


One might be that all Thunderbird users will leave TPG.

It doesn’t sound like a solution given you forgo future security updates to Thunderbird.


TPG’s response re Thunderbird seems no more business affecting than google’s persistent and irritating admonishments that ‘you are using an insecure app’ unless you use their preferred authentication mechanism.

It is amazing how few I know who use Thunderbird; the general user seems happy to use outlook or the web interfaces.

TPG will probably not lose a customer because of it, and google is google.


For Thunderbird go to Tools, Options and type “Config Editor” into the search field at the top right.
Click on the Config Editor button then click on “I accept the risk”. Enter “security.tls” in the search field. Double click on security.tls.version.min and replace the strong text3 with a 1. Go to Tools, Account Settings, Server Settings and set Connection security to STARTTLS. This gives some level of security even if it is at a minimum.


TPG is still not providing any level of security and advising their customers to assume all risk. I asked if there was another email client I could use which did have security, but at the moment they are all in the same boat - Outlook etc

I tried to escalate it, but I keep getting pointed back to the easy solution of the customer assuming all risks for an insecure connection.

I decided, after 6 months of inaction, to give them a poor review on ProductReview, only to find they have over 5,000 One star reviews already & 1.7star total. They were a good company to deal with when I joined up in the 1990’s, although Support was usually long and drawn out multiple phone calls. As an aside, because I signed up to their Community forum I was issued with a private mail box which is now attracting junk mail which is redirected to my tpg email.

1 Like

Is there some rule about TPG that users are forced to use the supplied email? I wouldnt bother. If I wanted to stay with TPG I would but I would use a secure service, like the free Protonmail. Hell, I’d even use gmail (and thats saying something, since I have dropped gmail)

1 Like

No. Like any ISP, use of the provided email services is optional. They also support customer which use non-TPG emails for contact…what being any email address can be used for account registration etc.

The issue is that if you have a TPG email address “” then it is held on the TPG servers until your email client (Thunderbird etc) requests it be forwarded to your computer.

If TPG does not support security, then the email is insecurely sent to your computer (password, content etc not encrypted) and might be vulnerable to hackers. This is regardless of your email client (Thunderbird, Outlook etc) as the issue is squarely with TGP for not updating their security. Someone more knowledgeable could describe the risks.

I could change my email to another ISP which does take security seriously, but that would mean changing two email addresses that I have had for decades. We are on Satellite NBN (slow …) and mobiles don’t work here, so I use email for two factor authentication for banking etc. That’s the problem.

It feels like a huge impost right now, but trust me, its worth the effort. If you use that email address for TFA, then you really are in trouble if you won’t make the change. How much effort is there in changing that email address to something else? I’d hazard a guess that almost everyone here has been in the same situation as you and has found it much easier to do once you start. It doesnt matter if you have had the address for decades… if TPG is not prepared to up their security, you’re screwed.

pick one, and get a VPN as well. I currently pay for protonmail, but the free service is pretty good, just very limited storage

1 Like

You can get a email signing certificate and sign your emails with that… By the same process you can get all emails sent to you signed and encrypted by your public key and decrypted by your private key. Security is only as tight as your control over your private key.


Just updating - TPG still hasn’t addressed the issue of security on email. Their advice for Thunderbird, Outlook etc is to set up with No Security, Unencrypted Password etc and for the customer to tick the box to say they are aware of the risks and will accept them.

Customers were still asking when this will be resolved and their last response (31/3/21) was the same as October 2020 - “we’re working on it, when we do something we’ll tell you”

In the meantime I have been accessing email through TPG Post Office with all its limitations. Now there is a Phishing email purportedly from tpg ( which is doing the rounds of their customers with tpg email addresses, saying you need to update your details, click here (Pharming). The messages are all the same, so no change of text, address etc. They are aware of it but it still isn’t picked up by their spam filters a week later.

It is hard to report issues to them as you are re-directed to the Community Forum for other customers to help. Occasionally a “moderator” will post, usually just to re-state their inaction, or apologise and do nothing. With Scam emails, they just fob you off to Scamwatch, who don’t fix it, only use the reports for statistical purposes. They don’t have a way to report Scams. I have been getting more phishing emails than real ones this last fortnight. It is frustrating. They used to be a good company.


Might be worth revisiting this. I don’t have a TPG username and password to test with, but using POP3 with TLS (hence port 995) to seemed to work i.e. the TLS connection was correctly made but then it complained that I did not supply a username and password (which of course I can’t do) with the rather laconic error message of:

Mate, the command must be one of CAPA, USER, PASS or QUIT

which would be absolutely right if it requires a valid username and password before going ahead.

To be clear, I was not using Thunderbird. I was just accessing from the command line - so that I could see what is actually going on.

To be honest, from all the posts above, I couldn’t work out what an actual error message is.

Of course, Thunderbird gives you a warning if you configure not to use transport security but not using transport security is not the right solution anyway.

It is possible that you need to change security.tls.version.min as suggested in the post by @‍erroldel but in that case I would note its current value and step it down one at a time until it works (starting with the assumption that it will work without adjustment).

The bad news is that TMG would surely retain the situation that the current settings work - whether those settings be good or bad from a security point of view - because they don’t want thousands of support calls with customers fumbling around trying to change settings. They want the migration to be seamless. I would think though, based on this post, that both with TLS and without TLS should work as of right now.