Closed Bug 1787766 Opened 2 years ago Closed 2 years ago

Thunderbird 102 unable to use apop authentication anymore

Categories

(MailNews Core :: Networking: POP, defect)

Product:
MailNews Core
Component:
Networking: POP
Version:
Thunderbird 102
Type:
defect

Tracking

(thunderbird_esr102+ fixed, thunderbird105 fixed)

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
thunderbird_esr102 + fixed
thunderbird105 --- fixed

People

(Reporter: david.rene, Assigned: rnons)

Details

Attachments

(4 files)

TB102-Error.PNG
4.31 KB, image/png
Details
TB102-account security settings.PNG
4.10 KB, image/png
Details
Bug 1787766 - Support APOP auth in Pop3Client.jsm. r=mkmelin
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-beta+
Details | Review
bug1787766_esr102.patch
4.34 KB, patch
rjl
: approval-comm-esr102+
Details | Diff | Splinter Review
Attached image TB102-Error.PNG

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0

Steps to reproduce:

upgrade from TB91 to 102.2.0

Actual results:

our pop server support APOP authentication which was worked fine until thunderbird 91 after the upgrade to TB 102. TB complain with "The server does not support the selected authentication method"
In settings / security settings :
connection security : none (which normal)
Authentication method: Encrypted password (which make use of APOP)

So this couple connection/auth method can't be use for logging with APOP.

TB102 in pop3 asking for CAPA which in not recognize by our pop3 server.

Expected results:

Fix the APOP authentication in TB 102

server settings

Component: Untriaged → Networking: POP
Flags: needinfo?(remotenonsense)
Product: Thunderbird → MailNews Core

I didn't implement apop in pop3-js because I thought it's outdated and not widely used.
I think it's better to use SSL connection. Without SSL, APOP is not safer than plain text.

It's not outdated and still used in some companies email server like us. So since TB102 I can't use anymore the APOP login and the SSL in our server is selfsigned which is also a problem with TB102. There is also another bug in TB102 when you use the SSL, because even you checked "Permanently store the exception", the dialog "Add Security Exception" always appear when you start again TB102. This means the exception isn't stored permanently.
Maybe you can add a setting to activate the APOP login to keep compatibility instead of cutting off the functionality without any announce in release log. If it was announced in released that the APOP doesn't exist anymore, I'll never upgrade to TB102. But now I can't go back to TB 91 and stick in TB102. Reinstalling the TB91 is not a option because I have 15 years of fine tuning settings, included filters.
The only way to get my email without warning or error from TB102 is following setting :
connection security : None
Authentication method: Password, transmitted insecurely
Do you think that is safer than APOP ?!
I know there is some document which explain the "Practical key-recovery attack against APOP, an MD5 based challenge-response authentication" but to taking back the password need many hours to do so. In unsecure connection it's need only to read in the text.
So if you can please restore the APOP authentication in TB102 it will be a big help for some companies

Assignee: nobody → remotenonsense
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

The security it adds seems pretty minimal. It may add an hour for the attacker... call it what you want but that's not really security.

You can set the mailnews.pop3.jsmodule pref to false to use the old implementation.

status-thunderbird105: --- → affected
status-thunderbird_esr102: --- → unaffected
tracking-thunderbird_esr102: --- → +
Summary: Regression: Thunderbird 102 unable to use apop anymore → Thunderbird 102 unable to use apop authentication anymore
Target Milestone: --- → 106 Branch
Flags: needinfo?(remotenonsense)
Keywords: checkin-needed-tb

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/737cf4def8c2
Support APOP auth in Pop3Client.jsm. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9292214 [details]
Bug 1787766 - Support APOP auth in Pop3Client.jsm. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): bug 1707548
User impact if declined: Can't use APOP auth method in pop3.
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9292214 - Flags: approval-comm-beta?

Comment on attachment 9292214 [details]
Bug 1787766 - Support APOP auth in Pop3Client.jsm. r=mkmelin

[Triage Comment]
Approved for beta

Attachment #9292214 - Flags: approval-comm-beta? → approval-comm-beta+

Version for comm-esr102. This bug is needed to uplift bug 1782250 to comm-esr102.

[Approval Request Comment]
Regression caused by (bug #):
User impact if declined: Can't uplift bug 1782250 without this one.
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky):

Attachment #9293318 - Flags: approval-comm-esr102?

Comment on attachment 9293318 [details] [diff] [review]
bug1787766_esr102.patch

[Triage Comment]
Approved for 102.2.2, dependency of bug 1782250.

Attachment #9293318 - Flags: approval-comm-esr102? → approval-comm-esr102+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: