Closed Bug 1061781 Opened 10 years ago Closed 10 years ago

Account with IMAP SSL on port 143 is hard to setup

Categories

(Thunderbird :: Account Manager, defect)

31 Branch
x86_64
macOS
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: bugzilla, Unassigned)

Details

(Keywords: reproducible)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Firefox/31.0
Build ID: 20140716183446

Steps to reproduce:

-1- Thunderdird 31.1.0 and autoconfig server ( http://autoconfig.mydomain.tld/mail/config-v1.1.xml) 
-2- Mail account creation, with name, mail address, and password. Autoconfig works fine.



Actual results:

-1- The autoconfig answer is IMAP/SSL/port 143 (can be checked with manual config)
-2- The account is created with IMAP/SSL/port 993 and doesn't work



Expected results:

The creation of the mail account should accept whatever information supplied by autoconfig, and doesn't change port 143 to 993
Hardware: x86 → x86_64
Version: unspecified → 31
This bug is totally unrelated with autoconfig. For years I had to struggle to create an email IMAP/SSL/143. Now that I am using autoconfig, the only new thing is that the bug is easier to show.
Each time you choose SSL, Thunderbird change port setting to 993.
The workaround I use to create an email account IMAP/SSL/143
- Don't supply password
- Manual config
- Advanced config
- Once the account is created, change the buggy 993 to 143.

BTW, I made the decision of using port 143 in my servers, because I was said long ago that 993 is deprecated. Using SSL or not is no more related to port number.
It is specifically related to port 143. If my autoconfig answers IMAP/SSL/port 995 (i.e. pop3s) this funny answer is accepted. But the answer IMAP/SSL/143 is always changed in IMAP/SSL/993
This bug is easily reproduced without autoconfig, it can be seen clearly on manual config.
You can not choose BOTH, SSL and port 143.
If you choose SSL, the port is automatically overiden to 993.
If you choose 143, the SSL setting is automatically overiden to Automatic.
If you choose any port but 143, the SSL setting is not modified.

I am afraid that I have no choice but follow the crowd SSL/993 if I want to use autoconfig (for Firefox OS it is a must)
Keywords: reproducible
If you want SSL on port 993 it's supposed to be the StartTLS variant.
Yes, I can see what comment 3 says. If you operate Port dropdown, SSL field changes. If you operate SSL, Port changes.

What happens if you leave port at 143 and SSL on Autodetect? Doesn't the account work?
Maybe yes, but it is not ideal for security (if a MITM attacker advertises no SSL, TB will not use SSL).
It can at least be overridden later in the Account manager: first select SSL/TLS, then rewrite prot to 143.

BenB, do you think this should be changed in the account wizard?
Status: UNCONFIRMED → NEW
Component: Untriaged → Account Manager
Ever confirmed: true
Flags: needinfo?(ben.bucksch)
(In reply to :aceman from comment #5)
> Yes, I can see what comment 3 says. If you operate Port dropdown, SSL field
> changes. If you operate SSL, Port changes.
> 
> What happens if you leave port at 143 and SSL on Autodetect? Doesn't the
> account work?

It doesn't work. It's exactly what I said in the first description of this bug.

> Maybe yes, but it is not ideal for security (if a MITM attacker advertises
> no SSL, TB will not use SSL).

Suddenly I realize that it's not enough to use only secured servers, I have to select client software that uses only secured servers ! Am I right in understanding that, even is my TB account is not *automatic* but is *SSL*, TB will fall back to insecure connection in case the server is not advertising SSL ?
>
 It can at least be overridden later in the Account manager: first select
> SSL/TLS, then rewrite prot to 143.
>

Yes. So I have done that for years ( as I said in comment #1 ) 

> BenB, do you think this should be changed in the account wizard?

Cannot answer, because I don't know what is the point in forcing SSL == 993 in account creation wizard only.

More generally I observe that this creation wizard lacks the flexibility of daily use of TB. It seems there is duplicated code for connecting to IMAP server, one in account creation wizard and one in daily use of TB, the latter being the only to offer some by-pass for instance, with invalid certificate.
This can hurt as account creation wizard defaults to refusing the creation of the account if it can't connect to IMAP server with his own inflexible rules.

Ph. Le.
(In reply to Ph.Le. from comment #6)
> > Maybe yes, but it is not ideal for security (if a MITM attacker advertises
> > no SSL, TB will not use SSL).
> 
> Suddenly I realize that it's not enough to use only secured servers, I have
> to select client software that uses only secured servers ! Am I right in
> understanding that, even is my TB account is not *automatic* but is *SSL*,
> TB will fall back to insecure connection in case the server is not
> advertising SSL ?
No, the other way round. I meant in the "automatic" mode this could be the case (fallback to no SSL if not found). I think we had such a mode in the past, but I think it was removed from the account manager.
If you specifically choose "SSL" then TB should abort the connection if the server does not support it. So you should be safe.

> > BenB, do you think this should be changed in the account wizard?
> 
> Cannot answer, because I don't know what is the point in forcing SSL == 993
> in account creation wizard only.
> 
> More generally I observe that this creation wizard lacks the flexibility of
> daily use of TB. It seems there is duplicated code for connecting to IMAP
> server, one in account creation wizard and one in daily use of TB, the
> latter being the only to offer some by-pass for instance, with invalid
> certificate.
Sure, a wizard only contains the most common options valid for most users. If you have specific needs, there is the "advanced config" button that exposes the full options in the account manager.
There would be no point to duplicate the account manager into the account wizard.
This server is badly configured.
IMAP without SSL is port 143
IMAP with STARTTLS is port 143
IMAP with SSL is port 993

Having IMAP with SSL on port 143 is a misconfiguration on the server. We don't need to make this easy to set up. Please use the "advanced config" button for that: Set up everything (hostnames etc.) normally in the account creation dialog, apart from the port. Then click "Advanced". There, you can edit the port number.

Not a bug
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(ben.bucksch)
Resolution: --- → WONTFIX
(And a server that supports STARTTLS must advertize it in CAPABILITIES.)
Thanks for the answer, OK for closing this bug and sorry for the trouble.
Port 143 is for IMAP with or without the possibility to STARTLS and 993 is for IMAPS.

I misunderstood rfc2595:
"Separate "imaps" and "pop3s" ports were registered for use with SSL.
   Use of these ports is discouraged in favor of the STARTTLS or STLS
   commands."

However, 3 remarks:

-1- I was astonished that autoconfig with IMAP/SSL accept any port but 143. If the role of a wizard is to prevent client errors, I am not sure it has to correct what it thinks is a server config error.

-2- When wizard fails, I find difficult to go on with advanced config. The choice is often made unavailable.

-3- I was not asking that wizard duplicate manual config. I was saying that wizard duplicate IMAP Login, with less possibility than daily use ( for instance it doesn't offer a possibility to overcome certicate issues )

Ph.Le
The wizard initially ignores cert issues, only after you set up the account (and are about to send the password) you'll have to to deal with those.
You need to log in before you can comment on or make changes to this bug.