Thunderbird 102 unable to use apop authentication anymore
Categories
(MailNews Core :: Networking: POP, defect)
Tracking
(thunderbird_esr102+ fixed, thunderbird105 fixed)
People
(Reporter: david.rene, Assigned: rnons)
References
Details
Attachments
(4 files)
4.31 KB,
image/png
|
Details | |
4.10 KB,
image/png
|
Details | |
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
|
Details | Review |
4.34 KB,
patch
|
rjl
:
approval-comm-esr102+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Steps to reproduce:
upgrade from TB91 to 102.2.0
Actual results:
our pop server support APOP authentication which was worked fine until thunderbird 91 after the upgrade to TB 102. TB complain with "The server does not support the selected authentication method"
In settings / security settings :
connection security : none (which normal)
Authentication method: Encrypted password (which make use of APOP)
So this couple connection/auth method can't be use for logging with APOP.
TB102 in pop3 asking for CAPA which in not recognize by our pop3 server.
Expected results:
Fix the APOP authentication in TB 102
Reporter | ||
Comment 1•2 years ago
|
||
server settings
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
I didn't implement apop in pop3-js because I thought it's outdated and not widely used.
I think it's better to use SSL connection. Without SSL, APOP is not safer than plain text.
Reporter | ||
Comment 3•2 years ago
|
||
It's not outdated and still used in some companies email server like us. So since TB102 I can't use anymore the APOP login and the SSL in our server is selfsigned which is also a problem with TB102. There is also another bug in TB102 when you use the SSL, because even you checked "Permanently store the exception", the dialog "Add Security Exception" always appear when you start again TB102. This means the exception isn't stored permanently.
Maybe you can add a setting to activate the APOP login to keep compatibility instead of cutting off the functionality without any announce in release log. If it was announced in released that the APOP doesn't exist anymore, I'll never upgrade to TB102. But now I can't go back to TB 91 and stick in TB102. Reinstalling the TB91 is not a option because I have 15 years of fine tuning settings, included filters.
The only way to get my email without warning or error from TB102 is following setting :
connection security : None
Authentication method: Password, transmitted insecurely
Do you think that is safer than APOP ?!
I know there is some document which explain the "Practical key-recovery attack against APOP, an MD5 based challenge-response authentication" but to taking back the password need many hours to do so. In unsecure connection it's need only to read in the text.
So if you can please restore the APOP authentication in TB102 it will be a big help for some companies
Assignee | ||
Comment 4•2 years ago
|
||
Updated•2 years ago
|
Comment 5•2 years ago
|
||
The security it adds seems pretty minimal. It may add an hour for the attacker... call it what you want but that's not really security.
You can set the mailnews.pop3.jsmodule pref to false to use the old implementation.
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/737cf4def8c2
Support APOP auth in Pop3Client.jsm. r=mkmelin
Assignee | ||
Comment 7•2 years ago
|
||
Comment on attachment 9292214 [details]
Bug 1787766 - Support APOP auth in Pop3Client.jsm. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): bug 1707548
User impact if declined: Can't use APOP auth method in pop3.
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low
Updated•2 years ago
|
Comment 8•2 years ago
|
||
Comment on attachment 9292214 [details]
Bug 1787766 - Support APOP auth in Pop3Client.jsm. r=mkmelin
[Triage Comment]
Approved for beta
Comment 9•2 years ago
|
||
Version for comm-esr102. This bug is needed to uplift bug 1782250 to comm-esr102.
[Approval Request Comment]
Regression caused by (bug #):
User impact if declined: Can't uplift bug 1782250 without this one.
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky):
Comment 10•2 years ago
|
||
Comment on attachment 9293318 [details] [diff] [review]
bug1787766_esr102.patch
[Triage Comment]
Approved for 102.2.2, dependency of bug 1782250.
Comment 11•2 years ago
|
||
bugherder uplift |
Thunderbird 102.2.2:
https://hg.mozilla.org/releases/comm-esr102/rev/b0ec79ca5fb1
Comment 12•2 years ago
|
||
bugherder uplift |
Thunderbird 105.0b3:
https://hg.mozilla.org/releases/comm-beta/rev/4c4f8a6269d0
Description
•