The Unofficial Guide to Configuring Thunderbird for Andrew

Mozilla Thunderbird is not supported by the Computing Services Help Center, but many people want to use it anyway. The following instructions should work, but I don't make any guarantees, nor can I provide any support.

These instructions were created and tested on OS X 10.4.4. The instructions should also work for Windows but see the footnote.

These instructions assume you have already installed Kerberos for Mac or Kerberos for Windows. If you haven't done so, follow that link for your operating system, and install it now.

You will also need to download copies of the CMU Certificate Authority root certificates. Regardless of what that page says, you should download the vertificates under the All operating systems EXCEPT Mac:" heading. Right click on both the 2001 and 2005 server certificate links, and save them to your local machine. (Note: the 2001 certificate is currently in the wrong format for Thunderbird to import. Don't do it, it will cause Thunderbird to crash on startup if you do so. I am working on correcting this on the webserver side. -jeaton)

Download Thunderbird, and install it. On Mac OS X, Thunderbird is distributed as a disk image (DMG). Simply double-click the DMG to mount it, and drag the Thunderbird application to your Applications folder. On Windows, you will need to run the installer.

Run Thunderbird. Assuming this is the first time you have run it, you should see the following:



Nice how Thunderbird helpfully offers to not import anything for you (This may be different on Windows). Click continue to bypass this useless dialog.



Leave "Email account" selected, and click continue.



Enter your name and email address. This is the name and email address which will be put in the From line of any email you send. If you prefer to use your @CMU.EDU address, you can enter it here.



Choose "IMAP", and enter "cyrus.andrew.cmu.edu" for your incoming mail server, and "smtp.andrew.cmu.edu" for your outgoing mail server. Click continue.



You should enter your Andrew User ID in both fields, if it is not already there, and click Continue.



You can enter a more descriptive name here if you like, or just accept the default and click Continue.



The settings should look like this. Go ahead and click done. Thunderbird should then prompt you for your password. DO NOT enter your password here.



To repeat, DO NOT enter your password here. If you do so, it will be sent across the network insecurely. Just click cancel, and Thunderbird will take you to the default view. From the Tools menu, select "Account Settings". In the settings window that appears, select "Server Settings":



Under "Security Settings", change to the "SSL" option. Check the "Use secure authentication" checkbox. You should also change the drop down for "When I delete a message" to "Mark it as deleted", which is how most IMAP clients behave.

Select the "Security" section:



Click on the "View Certificates" button to bring up the Certificate Manager window:



Select the "Authorities" tab, and click "Import". Find the "CMU-CA-Server-x509.crt" file you downloaded earlier, and click open to import it. Check the box next to "Trust this CA to identify web sites", and click OK. Do the same for "CMU-CA-Server-2.crt". Click OK to close the Certificate Manager.

Choose the "Outgoing server (SMTP)" section:



Click "Edit..." to edit the settings for smtp.andrew.cmu.edu.



Change the port to 587, make sure "Use name and password" is checked and your Andrew User ID is in the User Name field and check the TLS radio button. Once all of those are set, click OK to save the settings, and click OK again to close the Account Settings panel.

Now choose "Preferences" under the Thunderbird menu, and select the Composition section.



Choose the Addressing tab. Check the box next to "Directory Server", and click "Edit Directories".



Click "Add" to add the LDAP server settings.



Fill in the fields on the General tab as above. Enter "CMU" for the name, "ldap.andrew.cmu.edu" for the hostname, "ou=person,dc=cmu,dc=edu" for the Base DN, and 389 for the port number. Don't check the "SSL" checkbox here, because our LDAP server doesn't support that. Choose the Advanced tab:



Change the Scope to "One Level", and enter "(cmuActiveDN=*)" for the Search filter. (This search filter will make sure the LDAP server only returns currently active accounts and not accounts for people who have recently left the university but are still listed in the directory.)

Click OK to save the directory server settings. Footnote.

Everything should now be set up to use Cyrus correctly.


Notes:
  1. Thunderbird for windows requires an additonal setting to make Kerberos work with our server. Under the Tools menu, select Options. In the Advanced section, under General, click on Config Editor. Set the preference named network.auth.use-sspi to the value false. This will force Thunderbird to use Kerberos for Windows, instead of the Microsoft SSPI implementation which does not work in our environment.
  2. In some instances, address auto-completion doesn't work in the compose window. If that is the case, you will need to edit preferences manually. To do so, open the Preferences under the Thunderbird window, and choose the Advanced section, General tab, and click Config Editor. Set the preference name ldap_2.autoComplete.directoryServer to the value ldap_2.servers.CMU.