Bug 1868517 - Remove deprecated trySTARTTLS and migrate any accounts using trySTARTTLS to alwaysSTARTTLS. r=leftmostcat
authorMagnus Melin <mkmelin+mozilla@iki.fi>
Thu, 12 Sep 2024 20:44:48 +0000 (10 months ago)
changeset 42438 a7811299d8f8a5262cc86793de78ae310dace51a
parent 42437 adca0429c7c766611780dd21faa4dbb187edbcd0
child 42439 11822313d09785a4f9839baa8374e4bd8796d00d
push id22558
push uservineet@thunderbird.net
push dateThu, 12 Sep 2024 20:46:59 +0000 (10 months ago)
treeherdercomm-central@11822313d097 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersleftmostcat
bugs1868517
Bug 1868517 - Remove deprecated trySTARTTLS and migrate any accounts using trySTARTTLS to alwaysSTARTTLS. r=leftmostcat Very few users will have this, as it's not been shown in the UI for many many years. Differential Revision: https://phabricator.services.mozilla.com/D221865
mail/base/test/unit/test_migrateTryStartTLS.js
mail/base/test/unit/xpcshell.ini
mail/components/test/unit/test_about_support.js
mail/locales/en-US/chrome/messenger/am-server-top.dtd
mail/locales/en-US/chrome/messenger/smtpEditOverlay.dtd
mail/modules/MailMigrator.sys.mjs
mail/services/sync/docs/record-spec.md
mail/services/sync/modules/engines/servers.sys.mjs
mailnews/base/prefs/content/SmtpServerEdit.js
mailnews/base/prefs/content/SmtpServerEdit.xhtml
mailnews/base/prefs/content/am-server.js
mailnews/base/prefs/content/am-server.xhtml
mailnews/base/public/MailNewsTypes2.idl
mailnews/compose/src/SmtpClient.sys.mjs
mailnews/compose/src/SmtpServer.sys.mjs
mailnews/imap/public/nsIImapServerSink.idl
mailnews/imap/src/ImapClient.sys.mjs
mailnews/imap/src/nsImapIncomingServer.cpp
mailnews/imap/src/nsImapProtocol.cpp
mailnews/imap/src/nsSyncRunnableHelpers.cpp
mailnews/local/src/Pop3Client.sys.mjs
new file mode 100644
--- /dev/null
+++ b/mail/base/test/unit/test_migrateTryStartTLS.js
@@ -0,0 +1,130 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/**
+ * Test migrating away from insecure trySTARTTLS.
+ */
+
+var { MailMigrator } = ChromeUtils.importESModule(
+  "resource:///modules/MailMigrator.sys.mjs"
+);
+var { localAccountUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/mailnews/LocalAccountUtils.sys.mjs"
+);
+var gAccountList = [
+  {
+    type: "pop3",
+    port: 1234,
+    user: "pop3user",
+    password: "pop3password",
+    hostname: "pop3.mail.yahoo.com",
+    socketType: Ci.nsMsgSocketType.plain,
+    authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
+    smtpServers: [
+      {
+        port: 3456,
+        user: "imapout",
+        password: "imapoutpassword",
+        isDefault: true,
+        hostname: "smtp.mail.yahoo.com",
+        socketType: Ci.nsMsgSocketType.alwaysSTARTTLS,
+        expectedSocketTypeAFter: Ci.nsMsgSocketType.alwaysSTARTTLS,
+        authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
+      },
+    ],
+  },
+  {
+    type: "imap",
+    port: 2345,
+    user: "imapuser",
+    password: "imappassword",
+    hostname: "imap.mail.yahoo.com",
+    socketType: 1, // former trySTARTTLS,
+    expectedSocketTypeAFter: Ci.nsMsgSocketType.alwaysSTARTTLS,
+    authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
+    smtpServers: [
+      {
+        port: 3456,
+        user: "imapout",
+        password: "imapoutpassword",
+        isDefault: false,
+        hostname: "smtp.gmail.com",
+        socketType: 1, // former trySTARTTLS,
+        expectedSocketTypeAFter: Ci.nsMsgSocketType.alwaysSTARTTLS,
+        authMethod: Ci.nsMsgAuthMethod.passwordEncrypted,
+      },
+    ],
+  },
+];
+
+// An array of the incoming servers during setup.
+var gIncomingServers = [];
+
+// An array of the outgoing servers created during setup.
+var gOutgoingServers = [];
+
+add_setup(async () => {
+  for (const details of gAccountList) {
+    const server = localAccountUtils.create_incoming_server(
+      details.type,
+      details.port,
+      details.user,
+      details.password,
+      details.hostname
+    );
+    server.socketType = details.socketType;
+    server.authMethod = details.authMethod;
+
+    // Add the newly created server to the array for testing.
+    gIncomingServers.push(server);
+
+    const account = MailServices.accounts.findAccountForServer(server);
+    for (const smtpDetails of details.smtpServers) {
+      const outgoing = localAccountUtils.create_outgoing_server(
+        "smtp",
+        smtpDetails.user,
+        smtpDetails.password,
+        { port: smtpDetails.port, hostname: smtpDetails.hostname }
+      );
+      outgoing.socketType = smtpDetails.socketType;
+      outgoing.authMethod = smtpDetails.authMethod;
+      localAccountUtils.associate_servers(
+        account,
+        outgoing,
+        smtpDetails.isDefault
+      );
+
+      // Add the newly created server to the array for testing.
+      gOutgoingServers.push(outgoing);
+    }
+  }
+});
+
+add_task(async function test_migrateTryStartTLS() {
+  Services.prefs.setIntPref("mail.ui-rdf.version", 43);
+
+  const inTypesBefore = gIncomingServers.map(s => s.socketType);
+  const outTypesBefore = gOutgoingServers.map(s => s.socketType);
+  MailMigrator._migrateUI();
+
+  let i = 0;
+  for (const server of gIncomingServers) {
+    if (inTypesBefore[i] == 1) {
+      Assert.equal(server.socketType, Ci.nsMsgSocketType.alwaysSTARTTLS);
+    } else {
+      Assert.equal(server.socketType, inTypesBefore[i]);
+    }
+    i++;
+  }
+
+  i = 0;
+  for (const server of gOutgoingServers) {
+    if (outTypesBefore[i] == 1) {
+      Assert.equal(server.socketType, Ci.nsMsgSocketType.alwaysSTARTTLS);
+    } else {
+      Assert.equal(server.socketType, outTypesBefore[i]);
+    }
+    i++;
+  }
+});
--- a/mail/base/test/unit/xpcshell.ini
+++ b/mail/base/test/unit/xpcshell.ini
@@ -7,16 +7,17 @@ support-files = distribution.ini resourc
 [test_alertHook.js]
 [test_attachmentChecker.js]
 [test_columns.js]
 [test_bug1086527.js]
 [test_devtools_url.js]
 [test_emptyTrash_dbViewWrapper.js]
 run-sequentially = Avoid bustage.
 [test_linkHelper.js]
+[test_migrateTryStartTLS.js]
 [test_pluralForm.js]
 [test_pluralForm_english.js]
 [test_pluralForm_makeGetter.js]
 [test_viewWrapper_imapFolder.js]
 run-sequentially = Avoid bustage.
 [test_viewWrapper_logic.js]
 [test_viewWrapper_realFolder.js]
 skip-if = os == "mac" && !debug
--- a/mail/components/test/unit/test_about_support.js
+++ b/mail/components/test/unit/test_about_support.js
@@ -23,17 +23,17 @@ var gAccountList = [
     authMethod: Ci.nsMsgAuthMethod.old,
     smtpServers: [],
   },
   {
     type: "imap",
     port: 2345,
     user: "imapuser",
     password: "imappassword",
-    socketType: Ci.nsMsgSocketType.trySTARTTLS,
+    socketType: Ci.nsMsgSocketType.alwaysSTARTTLS,
     authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
     smtpServers: [
       {
         port: 3456,
         user: "imapout",
         password: "imapoutpassword",
         isDefault: true,
         socketType: Ci.nsMsgSocketType.alwaysSTARTTLS,
--- a/mail/locales/en-US/chrome/messenger/am-server-top.dtd
+++ b/mail/locales/en-US/chrome/messenger/am-server-top.dtd
@@ -21,17 +21,16 @@
 <!ENTITY biffStart.label "Check for new messages every ">
 <!ENTITY biffStart.accesskey "y">
 <!ENTITY biffEnd.label "minutes">
 <!ENTITY useIdleNotifications.label "Allow immediate server notifications when new messages arrive">
 <!ENTITY useIdleNotifications.accesskey "w">
 <!ENTITY connectionSecurity.label "Connection security:">
 <!ENTITY connectionSecurity.accesskey "u">
 <!ENTITY connectionSecurityType-0.label "None">
-<!ENTITY connectionSecurityType-1.label "STARTTLS, if available">
 <!ENTITY connectionSecurityType-2.label "STARTTLS">
 <!ENTITY connectionSecurityType-3.label "SSL/TLS">
 <!ENTITY authMethod.label "Authentication method:">
 <!ENTITY authMethod.accesskey "i">
 <!ENTITY leaveOnServer.label "Leave messages on server">
 <!ENTITY leaveOnServer.accesskey "g">
 <!ENTITY headersOnly.label "Fetch headers only">
 <!ENTITY headersOnly.accesskey "e">
--- a/mail/locales/en-US/chrome/messenger/smtpEditOverlay.dtd
+++ b/mail/locales/en-US/chrome/messenger/smtpEditOverlay.dtd
@@ -10,15 +10,14 @@
 <!ENTITY serverDescription.accesskey "D">
 <!ENTITY serverPort.label "Port:">
 <!ENTITY serverPort.accesskey "P">
 <!ENTITY userName.label "User Name:">
 <!ENTITY userName.accesskey "m">
 <!ENTITY connectionSecurity.label "Connection security:">
 <!ENTITY connectionSecurity.accesskey "n">
 <!ENTITY connectionSecurityType-0.label "None">
-<!ENTITY connectionSecurityType-1.label "STARTTLS, if available">
 <!ENTITY connectionSecurityType-2.label "STARTTLS">
 <!ENTITY connectionSecurityType-3.label "SSL/TLS">
 <!ENTITY smtpEditTitle.label "SMTP Server">
 <!ENTITY serverPortDefault.label "Default:">
 <!ENTITY authMethod.label "Authentication method:">
 <!ENTITY authMethod.accesskey "i">
--- a/mail/modules/MailMigrator.sys.mjs
+++ b/mail/modules/MailMigrator.sys.mjs
@@ -22,17 +22,17 @@ ChromeUtils.defineESModuleGetters(lazy, 
 export var MailMigrator = {
   /**
    * Determine if the UI has been upgraded in a way that requires us to reset
    * some user configuration.  If so, performs the resets.
    */
   _migrateUI() {
     // The code for this was ported from
     // mozilla/browser/components/nsBrowserGlue.js
-    const UI_VERSION = 43;
+    const UI_VERSION = 44;
     const UI_VERSION_PREF = "mail.ui-rdf.version";
     let currentUIVersion = Services.prefs.getIntPref(UI_VERSION_PREF, 0);
 
     if (currentUIVersion >= UI_VERSION) {
       return;
     }
 
     const newProfile = currentUIVersion == 0;
@@ -149,16 +149,31 @@ export var MailMigrator = {
           .split(",")
           .filter(Boolean);
 
         serverKeys.forEach(key => {
           Services.prefs.setCharPref(`mail.smtpserver.${key}.type`, "smtp");
         });
       }
 
+      if (currentUIVersion < 44) {
+        // Upgrade all (former) tryStartTLS (==1) uses to alwaysStartTLS.
+        for (const account of MailServices.accounts.accounts) {
+          const server = account.incomingServer;
+          if (server.socketType == 1) {
+            server.socketType = Ci.nsMsgSocketType.alwaysSTARTTLS;
+          }
+        }
+        for (const server of MailServices.outgoingServer.servers) {
+          if (server.socketType == 1) {
+            server.socketType = Ci.nsMsgSocketType.alwaysSTARTTLS;
+          }
+        }
+      }
+
       // Migration tasks that may take a long time are not run immediately, but
       // added to the MigrationTasks object then run at the end.
       //
       // See the documentation on MigrationTask and MigrationTasks for how to
       // add a task.
       MigrationTasks.runTasks();
 
       // Update the migration version.
--- a/mail/services/sync/docs/record-spec.md
+++ b/mail/services/sync/docs/record-spec.md
@@ -5,17 +5,16 @@ Renamed from Accounts in version 1. Same
 
 - `deleted`: `true` if this account has been removed
 - `name`: string, user-visible way to identify this account
 - `type`: "imap", "pop3", "smtp" [immutable]
 - `location`: string, the server's hostname and port separated by a colon (in future this may be a
     URL instead, where appropriate)
 - `socketType` (one of): (from nsMsgSocketType)
   - "plain"
-  - "tryStartTLS"
   - "alwaysStartTLS"
   - "tls"
 - `authMethod` (one of): (see nsMsgAuthMethod)
   - "passwordCleartext"
   - "passwordEncrypted"
   - "gssapi" (Kerberos)
   - "ntlm"
   - "tlsCertificate" (AKA “external”)
--- a/mail/services/sync/modules/engines/servers.sys.mjs
+++ b/mail/services/sync/modules/engines/servers.sys.mjs
@@ -7,17 +7,16 @@ import { CryptoWrapper } from "resource:
 import { MailServices } from "resource:///modules/MailServices.sys.mjs";
 import { SCORE_INCREMENT_XLARGE } from "resource://services-sync/constants.sys.mjs";
 import { SyncEngine, Tracker } from "resource://services-sync/engines.sys.mjs";
 import { Utils } from "resource://services-sync/util.sys.mjs";
 
 // Mappings between Ci.nsMsgSocketType types and Sync types.
 const SOCKET_TYPES = [
   [Ci.nsMsgSocketType.plain, "plain"],
-  [Ci.nsMsgSocketType.trySTARTTLS, "tryStartTLS"],
   [Ci.nsMsgSocketType.alwaysSTARTTLS, "alwaysStartTLS"],
   [Ci.nsMsgSocketType.SSL, "tls"],
 ];
 function socketTypeForRecord(number) {
   return SOCKET_TYPES.find(st => st[0] == number)[1];
 }
 function socketTypeForServer(string) {
   return SOCKET_TYPES.find(st => st[1] == string)[0];
--- a/mailnews/base/prefs/content/SmtpServerEdit.js
+++ b/mailnews/base/prefs/content/SmtpServerEdit.js
@@ -119,21 +119,16 @@ function initSmtpSettings(server) {
   const details = server
     ? OAuth2Providers.getHostnameDetails(server.serverURI.host)
     : null;
   document.getElementById("authMethod-oauth2").hidden = !details;
 
   // Hide deprecated/hidden auth options, unless selected
   hideUnlessSelected(document.getElementById("authMethod-anysecure"));
   hideUnlessSelected(document.getElementById("authMethod-any"));
-
-  // "STARTTLS, if available" is vulnerable to MITM attacks so we shouldn't
-  // allow users to choose it anymore. Hide the option unless the user already
-  // has it set.
-  hideUnlessSelected(document.getElementById("connectionSecurityType-1"));
 }
 
 function hideUnlessSelected(element) {
   element.hidden = !element.selected;
 }
 
 function setLabelFromStringBundle(elementID, stringName) {
   document.getElementById(elementID).label = document
--- a/mailnews/base/prefs/content/SmtpServerEdit.xhtml
+++ b/mailnews/base/prefs/content/SmtpServerEdit.xhtml
@@ -148,23 +148,16 @@
                   prefstring="mail.smtpserver.%serverkey%.try_ssl"
                 >
                   <menupopup id="smtp.socketTypePopup">
                     <menuitem
                       value="0"
                       label="&connectionSecurityType-0.label;"
                     />
                     <menuitem
-                      id="connectionSecurityType-1"
-                      value="1"
-                      label="&connectionSecurityType-1.label;"
-                      disabled="true"
-                      hidden="true"
-                    />
-                    <menuitem
                       value="2"
                       label="&connectionSecurityType-2.label;"
                     />
                     <menuitem
                       value="3"
                       label="&connectionSecurityType-3.label;"
                     />
                   </menupopup>
--- a/mailnews/base/prefs/content/am-server.js
+++ b/mailnews/base/prefs/content/am-server.js
@@ -96,21 +96,16 @@ function onInit(aPageId, aServerId) {
   }
 
   // OAuth2 are only supported on IMAP and POP.
   document.getElementById("authMethod-oauth2").hidden =
     serverType != "imap" && serverType != "pop3";
   // TLS Cert (External) only supported on IMAP.
   document.getElementById("authMethod-external").hidden = serverType != "imap";
 
-  // "STARTTLS, if available" is vulnerable to MITM attacks so we shouldn't
-  // allow users to choose it anymore. Hide the option unless the user already
-  // has it set.
-  hideUnlessSelected(document.getElementById("connectionSecurityType-1"));
-
   // UI for account store type.
   const storeTypeElement = document.getElementById("server.storeTypeMenulist");
   // set the menuitem to match the account
   const currentStoreID = document
     .getElementById("server.storeContractID")
     .getAttribute("value");
   const targetItem = storeTypeElement.getElementsByAttribute(
     "value",
--- a/mailnews/base/prefs/content/am-server.xhtml
+++ b/mailnews/base/prefs/content/am-server.xhtml
@@ -31,17 +31,17 @@
     <script defer="defer" src="chrome://messenger/content/am-prefs.js"></script>
     <script defer="defer" src="chrome://messenger/content/amUtils.js"></script>
     <script
       defer="defer"
       src="chrome://messenger/content/menulist-charsetpicker.js"
     ></script>
     <script>
       // FIXME: move to script file.
-      window.addEventListener("load", event => {
+      window.addEventListener("load", () => {
         parent.onPanelLoaded("am-server.xhtml");
       });
     </script>
   </head>
   <html:body
     xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
   >
     <vbox id="containerBox" flex="1">
@@ -148,38 +148,32 @@
         <html:fieldset>
           <html:legend>&securitySettings.label;</html:legend>
           <html:table>
             <html:tr>
               <html:td>
                 <label
                   value="&connectionSecurity.label;"
                   accesskey="&connectionSecurity.accesskey;"
-                  control="server.socketType"
+                  control="server."
                 />
               </html:td>
               <html:td>
                 <menulist
                   wsm_persist="true"
                   id="server.socketType"
                   oncommand="secureSelect();"
                   style="width: 100%"
                 >
                   <menupopup id="server.socketTypePopup">
                     <menuitem
                       value="0"
                       label="&connectionSecurityType-0.label;"
                     />
                     <menuitem
-                      id="connectionSecurityType-1"
-                      value="1"
-                      label="&connectionSecurityType-1.label;"
-                      disabled="true"
-                    />
-                    <menuitem
                       value="2"
                       label="&connectionSecurityType-2.label;"
                       hidefor="nntp"
                     />
                     <menuitem
                       value="3"
                       label="&connectionSecurityType-3.label;"
                     />
--- a/mailnews/base/public/MailNewsTypes2.idl
+++ b/mailnews/base/public/MailNewsTypes2.idl
@@ -35,24 +35,19 @@ interface nsMsgPriority : nsISupports {
  * Defines whether to use SSL or STARTTLS or not.
  * Used by @see nsIMsgIncomingServer.socketType
  * and @see nsIMsgOutgoingServer.socketType
  */
 [scriptable, uuid(bc78bc74-1b34-48e8-ac2b-968e8dff1aeb)]
 interface nsMsgSocketType : nsISupports {
     /// No SSL or STARTTLS
     const nsMsgSocketTypeValue plain = 0;
-    /// Use TLS via STARTTLS, but only if server offers it.
-    /// @deprecated This is vulnerable to MITM attacks
-    const nsMsgSocketTypeValue trySTARTTLS = 1;
-    /// Insist on TLS via STARTTLS.
-    /// Uses normal port.
+    /// Insist on TLS via STARTTLS. Uses normal port.
     const nsMsgSocketTypeValue alwaysSTARTTLS = 2;
-    /// Connect via SSL.
-    /// Needs special SSL port.
+    /// Connect via SSL. Needs special SSL port.
     const nsMsgSocketTypeValue SSL = 3;
 };
 
 /**
  * Defines which authentication schemes we should try.
  * Used by @see nsIMsgIncomingServer.authMethod
  * and @see nsIMsgOutgoingServer.authMethod
  */
--- a/mailnews/compose/src/SmtpClient.sys.mjs
+++ b/mailnews/compose/src/SmtpClient.sys.mjs
@@ -61,19 +61,17 @@ export class SmtpClient {
    * defines the properties but does not actually connect.
    *
    * @class
    *
    * @param {SmtpServer} server - The associated SmtpServer instance.
    */
   constructor(server) {
     this.options = {
-      alwaysSTARTTLS:
-        server.socketType == Ci.nsMsgSocketType.trySTARTTLS ||
-        server.socketType == Ci.nsMsgSocketType.alwaysSTARTTLS,
+      alwaysSTARTTLS: server.socketType == Ci.nsMsgSocketType.alwaysSTARTTLS,
       requireTLS: server.socketType == Ci.nsMsgSocketType.SSL,
     };
 
     this.socket = false; // Downstream TCP socket to the SMTP server, created with TCPSocket
     this.waitDrain = false; // Keeps track if the downstream socket is currently full and a drain event should be waited for or not
 
     // Private properties
 
--- a/mailnews/compose/src/SmtpServer.sys.mjs
+++ b/mailnews/compose/src/SmtpServer.sys.mjs
@@ -189,25 +189,28 @@ export class SmtpServer {
     }
   }
 
   set clientidEnabled(value) {
     this._prefs.setBoolPref("clientidEnabled", value);
   }
 
   get authMethod() {
-    return this._getIntPrefWithDefault("authMethod", 3);
+    return this._getIntPrefWithDefault(
+      "authMethod",
+      Ci.nsMsgAuthMethod.passwordCleartext
+    );
   }
 
   set authMethod(value) {
     this._prefs.setIntPref("authMethod", value);
   }
 
   get socketType() {
-    return this._getIntPrefWithDefault("try_ssl", 0);
+    return this._getIntPrefWithDefault("try_ssl", Ci.nsMsgSocketType.plain);
   }
 
   set socketType(value) {
     this._prefs.setIntPref("try_ssl", value);
   }
 
   /**
    * May contain an alternative argument to EHLO or HELO to provide to the
--- a/mailnews/imap/public/nsIImapServerSink.idl
+++ b/mailnews/imap/public/nsIImapServerSink.idl
@@ -151,23 +151,16 @@ interface nsIImapServerSink : nsISupport
    *
    * @param aPassword returns the stored password or empty string if not stored.
    */
   void syncGetPassword(out AString aPassword);
 
   attribute boolean userAuthenticated;
   void setMailServerUrls(in AUTF8String manageMailAccount, in AUTF8String manageLists, in AUTF8String manageFilters);
 
-  /** Used by the imap thread when upgrading from the socketType
-   * trySTARTTLS.
-   * @param aSucceeded whether STARTTLS succeeded. If it did, the server
-   * will set the socket type to alwaysSTARTTLS, otherwise plain.
-   */
-  void UpdateTrySTARTTLSPref(in boolean aSucceeded);
-
   readonly attribute AUTF8String arbitraryHeaders;
   void forgetPassword();
 
   readonly attribute boolean showAttachmentsInline;
   string cramMD5Hash(in string decodedChallenge, in string key);
   /// String to send to the imap server as the login user name.
   readonly attribute ACString loginUsername;
   /// String to send to the imap server as the user name.
--- a/mailnews/imap/src/ImapClient.sys.mjs
+++ b/mailnews/imap/src/ImapClient.sys.mjs
@@ -1030,20 +1030,17 @@ export class ImapClient {
     }
   };
 
   /**
    * Decide the first auth method to try.
    */
   _actionChooseFirstAuthMethod = () => {
     if (
-      [
-        Ci.nsMsgSocketType.trySTARTTLS,
-        Ci.nsMsgSocketType.alwaysSTARTTLS,
-      ].includes(this._server.socketType) &&
+      [Ci.nsMsgSocketType.alwaysSTARTTLS].includes(this._server.socketType) &&
       !this._secureTransport
     ) {
       if (this._capabilities.includes("STARTTLS")) {
         // Init STARTTLS negotiation if required by user pref and supported.
         this._nextAction = this._actionStarttlsResponse;
         this._sendTagged("STARTTLS");
       } else {
         // Abort if not supported.
--- a/mailnews/imap/src/nsImapIncomingServer.cpp
+++ b/mailnews/imap/src/nsImapIncomingServer.cpp
@@ -390,23 +390,16 @@ NS_IMPL_SERVERPREF_STR(nsImapIncomingSer
 NS_IMPL_SERVERPREF_STR(nsImapIncomingServer, OtherUsersNamespace,
                        "namespace.other_users")
 
 NS_IMPL_SERVERPREF_BOOL(nsImapIncomingServer, FetchByChunks, "fetch_by_chunks")
 
 NS_IMPL_SERVERPREF_BOOL(nsImapIncomingServer, SendID, "send_client_info")
 
 NS_IMETHODIMP
-nsImapIncomingServer::UpdateTrySTARTTLSPref(bool aStartTLSSucceeded) {
-  SetSocketType(aStartTLSSucceeded ? nsMsgSocketType::alwaysSTARTTLS
-                                   : nsMsgSocketType::plain);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
 nsImapIncomingServer::GetImapConnectionAndLoadUrl(nsIImapUrl* aImapUrl,
                                                   nsISupports* aConsumer) {
   nsCOMPtr<nsIImapProtocol> aProtocol;
 
   nsresult rv = GetImapConnection(aImapUrl, getter_AddRefs(aProtocol));
   NS_ENSURE_SUCCESS(rv, rv);
 
   nsCOMPtr<nsIMsgMailNewsUrl> mailnewsurl = do_QueryInterface(aImapUrl, &rv);
--- a/mailnews/imap/src/nsImapProtocol.cpp
+++ b/mailnews/imap/src/nsImapProtocol.cpp
@@ -503,17 +503,17 @@ nsImapProtocol::nsImapProtocol()
   m_retryUrlOnError = false;
   m_useIdle = true;  // by default, use it
   m_useCondStore = true;
   m_useCompressDeflate = true;
   m_ignoreExpunges = false;
   m_prefAuthMethods = kCapabilityUndefined;
   m_failedAuthMethods = 0;
   m_currentAuthMethod = kCapabilityUndefined;
-  m_socketType = nsMsgSocketType::trySTARTTLS;
+  m_socketType = nsMsgSocketType::alwaysSTARTTLS;
   m_connectionStatus = NS_OK;
   m_safeToCloseConnection = false;
   m_hostSessionList = nullptr;
   m_isGmailServer = false;
   m_fetchingWholeMessage = false;
   m_allowUTF8Accept = false;
 
   nsCOMPtr<nsIPrefBranch> prefBranch(do_GetService(NS_PREFSERVICE_CONTRACTID));
@@ -989,40 +989,30 @@ nsresult nsImapProtocol::SetupWithUrlCal
   Log("SetupWithUrlCallback", nullptr, "clearing IMAP_CONNECTION_IS_OPEN");
   ClearFlag(IMAP_CONNECTION_IS_OPEN);
   const char* connectionType = nullptr;
 
   if (m_socketType == nsMsgSocketType::SSL)
     connectionType = "ssl";
   else if (m_socketType == nsMsgSocketType::alwaysSTARTTLS)
     connectionType = "starttls";
-  // This can go away once we think everyone is migrated
-  // away from the trySTARTTLS socket type.
-  else if (m_socketType == nsMsgSocketType::trySTARTTLS)
-    connectionType = "starttls";
 
   int32_t port = -1;
   nsCOMPtr<nsIURI> uri = do_QueryInterface(m_runningUrl, &rv);
   if (NS_FAILED(rv)) return rv;
   uri->GetPort(&port);
 
   AutoTArray<nsCString, 1> connectionTypeArray;
   if (connectionType) connectionTypeArray.AppendElement(connectionType);
   // NOTE: Some errors won't show up until the first read attempt (SSL bad
   // certificate errors, for example).
   rv = socketService->CreateTransport(connectionTypeArray, m_hostName, port,
                                       aProxyInfo, nullptr,
                                       getter_AddRefs(m_transport));
-  if (NS_FAILED(rv) && m_socketType == nsMsgSocketType::trySTARTTLS) {
-    connectionType = nullptr;
-    m_socketType = nsMsgSocketType::plain;
-    rv = socketService->CreateTransport(connectionTypeArray, m_hostName, port,
-                                        aProxyInfo, nullptr,
-                                        getter_AddRefs(m_transport));
-  }
+  NS_ENSURE_SUCCESS(rv, rv);
 
   // remember so we can know whether we can issue a start tls or not...
   m_connectionType = connectionType;
   if (m_transport && m_mockChannel) {
     uint8_t qos;
     rv = GetQoSBits(&qos);
     if (NS_SUCCEEDED(rv)) m_transport->SetQoSBits(qos);
 
@@ -1679,18 +1669,17 @@ void nsImapProtocol::EstablishServerConn
                                                        fakeServerResponse);
       }
     }
   } else if (!PL_strncasecmp(serverResponse, ESC_PREAUTH, ESC_PREAUTH_LEN)) {
     // PREAUTH greeting received. We've been pre-authenticated by the server.
     // We can skip sending a password and transition right into the
     // kAuthenticated state; but we won't if the user has configured STARTTLS.
     // (STARTTLS can only occur with the server in non-authenticated state.)
-    if (!(m_socketType == nsMsgSocketType::alwaysSTARTTLS ||
-          m_socketType == nsMsgSocketType::trySTARTTLS)) {
+    if (m_socketType != nsMsgSocketType::alwaysSTARTTLS) {
       GetServerStateParser().PreauthSetAuthenticatedState();
 
       if (GetServerStateParser().GetCapabilityFlag() == kCapabilityUndefined)
         Capability();
 
       if (!(GetServerStateParser().GetCapabilityFlag() &
             (kIMAP4Capability | kIMAP4rev1Capability | kIMAP4other))) {
         // AlertUserEventUsingId(MK_MSG_IMAP_SERVER_NOT_IMAP4);
@@ -1867,21 +1856,17 @@ bool nsImapProtocol::ProcessCurrentURL()
          !(GetServerStateParser().GetCapabilityFlag() &
            (kIMAP4Capability | kIMAP4rev1Capability | kIMAP4other)))) {
       if (!DeathSignalReceived() && NS_SUCCEEDED(GetConnectionStatus()) &&
           GetServerStateParser().GetCapabilityFlag())
         AlertUserEventUsingName("imapServerNotImap4");
 
       SetConnectionStatus(NS_ERROR_FAILURE);  // stop netlib
     } else {
-      if ((m_connectionType.EqualsLiteral("starttls") &&
-           (m_socketType == nsMsgSocketType::trySTARTTLS &&
-            (GetServerStateParser().GetCapabilityFlag() &
-             kHasStartTLSCapability))) ||
-          m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
+      if (m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
         StartTLS();  // Send imap STARTTLS command
         if (GetServerStateParser().LastCommandSuccessful()) {
           NS_ENSURE_TRUE(m_transport, false);
           MOZ_ASSERT(!NS_IsMainThread());
           rv = TransportStartTLS();  // Initiate STARTTLS handshakes
           if (NS_SUCCEEDED(rv)) {
             // Transition to secure state is now enabled but handshakes and
             // negotiation has not yet occurred. Make sure that
@@ -1913,24 +1898,16 @@ bool nsImapProtocol::ProcessCurrentURL()
             m_inputStreamBuffer->ClearBuffer();
 
             // Force re-issue of "capability", because servers may
             // enable other auth features (e.g. remove LOGINDISABLED
             // and add AUTH=PLAIN). Sending imap data here first triggers
             // the TLS negotiation handshakes.
             Capability();
 
-            // If user has set pref mail.server.serverX.socketType to 1
-            // (trySTARTTLS, now deprecated in UI) and Capability()
-            // succeeds, indicating TLS handshakes succeeded, set and
-            // latch the socketType to 2 (alwaysSTARTTLS) for this server.
-            if ((m_socketType == nsMsgSocketType::trySTARTTLS) &&
-                GetServerStateParser().LastCommandSuccessful())
-              m_imapServerSink->UpdateTrySTARTTLSPref(true);
-
             // Courier imap doesn't return STARTTLS capability if we've done
             // a STARTTLS! But we need to remember this capability so we'll
             // try to use STARTTLS next time.
             // Update: This may not be a problem since "next time" will be
             // on a new connection that is not yet in secure state. So the
             // capability greeting *will* contain STARTTLS. I observed and
             // tested this on Courier imap server. But keep this to be sure.
             eIMAPCapabilityFlags capabilityFlag =
@@ -1943,40 +1920,22 @@ bool nsImapProtocol::ProcessCurrentURL()
           }
           if (NS_FAILED(rv)) {
             nsAutoCString logLine("Enable of STARTTLS failed. Error 0x");
             logLine.AppendInt(static_cast<uint32_t>(rv), 16);
             Log("ProcessCurrentURL", nullptr, logLine.get());
             if (m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
               SetConnectionStatus(rv);  // stop netlib
               if (m_transport) m_transport->Close(rv);
-            } else if (m_socketType == nsMsgSocketType::trySTARTTLS)
-              m_imapServerSink->UpdateTrySTARTTLSPref(false);
+            }
           }
         } else if (m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
           SetConnectionStatus(NS_ERROR_FAILURE);  // stop netlib
           if (m_transport) m_transport->Close(rv);
-        } else if (m_socketType == nsMsgSocketType::trySTARTTLS) {
-          // STARTTLS failed, so downgrade socket type
-          m_imapServerSink->UpdateTrySTARTTLSPref(false);
         }
-      } else if (m_socketType == nsMsgSocketType::trySTARTTLS) {
-        // we didn't know the server supported TLS when we created
-        // the socket, so we're going to retry with a STARTTLS socket
-        if (GetServerStateParser().GetCapabilityFlag() &
-            kHasStartTLSCapability) {
-          ClearFlag(IMAP_CONNECTION_IS_OPEN);
-          TellThreadToDie();
-          SetConnectionStatus(NS_ERROR_FAILURE);
-          return RetryUrl();
-        }
-        // trySTARTTLS set, but server doesn't have TLS capability,
-        // so downgrade socket type
-        m_imapServerSink->UpdateTrySTARTTLSPref(false);
-        m_socketType = nsMsgSocketType::plain;
       }
       if (!DeathSignalReceived() && (NS_SUCCEEDED(GetConnectionStatus()))) {
         // Run TryToLogon() under the protection of the server's logon monitor.
         // This prevents a dogpile of multiple connections all attempting to
         // log on at the same time using an obsolete password, potentially
         // triggering the provider to block the account (Bug 1862111).
         // We run this on the current thread, not proxied to the main thread!
         logonFailed = true;
--- a/mailnews/imap/src/nsSyncRunnableHelpers.cpp
+++ b/mailnews/imap/src/nsSyncRunnableHelpers.cpp
@@ -442,17 +442,16 @@ NS_SYNCRUNNABLEATTRIBUTE(ImapServerSink,
 NS_SYNCRUNNABLEMETHOD3(ImapServerSink, SetMailServerUrls, const nsACString&,
                        const nsACString&, const nsACString&)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetArbitraryHeaders, nsACString&)
 NS_SYNCRUNNABLEMETHOD0(ImapServerSink, ForgetPassword)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetShowAttachmentsInline, bool*)
 NS_SYNCRUNNABLEMETHOD3(ImapServerSink, CramMD5Hash, const char*, const char*,
                        char**)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetLoginUsername, nsACString&)
-NS_SYNCRUNNABLEMETHOD1(ImapServerSink, UpdateTrySTARTTLSPref, bool)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetOriginalUsername, nsACString&)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetServerKey, nsACString&)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetServerPassword, nsAString&)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, RemoveServerConnection, nsIImapProtocol*)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetServerShuttingDown, bool*)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, ResetServerConnection, const nsACString&)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, SetServerDoingLsub, bool)
 NS_SYNCRUNNABLEMETHOD1(ImapServerSink, SetServerUtf8AcceptEnabled, bool)
--- a/mailnews/local/src/Pop3Client.sys.mjs
+++ b/mailnews/local/src/Pop3Client.sys.mjs
@@ -642,20 +642,17 @@ export class Pop3Client {
     );
   };
 
   /**
    * Decide the first auth method to try.
    */
   _actionChooseFirstAuthMethod = async () => {
     if (
-      [
-        Ci.nsMsgSocketType.trySTARTTLS,
-        Ci.nsMsgSocketType.alwaysSTARTTLS,
-      ].includes(this._server.socketType) &&
+      [Ci.nsMsgSocketType.alwaysSTARTTLS].includes(this._server.socketType) &&
       !this._secureTransport
     ) {
       if (this._capabilities.includes("STLS")) {
         // Init STARTTLS negotiation if required by user pref and supported.
         this._nextAction = this._actionStlsResponse;
         // STLS is the POP3 command to init STARTTLS.
         await this._send("STLS");
       } else {