If supported, POP3 should try to login with AUTH PLAIN and AUTH LOGIN before using USERPASS login method
Categories
(MailNews Core :: Networking: POP, defect)
Tracking
(thunderbird_esr115 wontfix, thunderbird127 fixed)
People
(Reporter: gds, Assigned: gds)
Details
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
|
Details | Review |
When logging in to a POP3 server account, TB currently uses the default (defined by base POP3 RFC https://datatracker.ietf.org/doc/html/rfc1939#page-13) USER/PASS authentication method as the first login method to try. USER/PASS transmits the username and password in plaintext. This may be a moot point when TLS is in effect since everything is encrypted. But for users on an open network that might want to still hide their username and password from casual observers, it would be better to use the PLAIN or LOGIN authentication methods (if supported) since these at least obfuscate the username and password -- but don't actually encrypt them.
In this section of the RFC detailing POP3 optional authentication, https://datatracker.ietf.org/doc/html/rfc1734#section-2, it implies that USER/PASS should be tried last after trying to use, e.g., AUTH PLAIN and/or AUTH LOGIN:
If an AUTH command fails with a negative response, the session remains in the AUTHORIZATION state
and client may try another authentication mechanism by issuing another AUTH command, or may
attempt to authenticate by using the USER/PASS or APOP commands. In other words, the client may
request authentication types in decreasing order of preference, with the USER/PASS or APOP
command as a last resort.
Note: TB's IMAP implementation does plaintext username/password transmission as a "last resort" (called "old-style" login in the imap code).
|
Assignee | |
Comment 1•4 months ago
|
||
Just an observation:
I was curious if APOP (mentioned above) actually worked so I enabled it in my dovecot server. But I couldn't find any documentation as to how to enable it in TB. Finally found this (Bug 1787766) that says you have to set server setting "Authentication method" to "Encrypted password". It does indeed work with "Security setting" at "None" or "TLS" (and probably STARTTLS, haven't tried it).
The only "problem" I see is if the server supports CRAM-MD5 and also supports APOP, when you set TB authentication method to "Encrypted password", CRAM-MD5 is used. There doesn't seem to be a way to cause APOP to be used in that case. So to get APOP to occur in TB, I have to disable CRAM-MD5 authentication in dovecot config file. I suspect both APOP and CRAM-MD5 are deprecated and I have no idea which is "better".
Anyhow, this is probably nothing to be concerned about. Like I said, just an observation.
|
|
Assignee | |
Comment 2•4 months ago
|
||
Instead of doing USERPASS with cleartext username/password transmitted
on the initial authentication attempt, use AUTH PLAIN and then
AUTH LOGIN (if supported) which send obfuscated credentials.
|
||
Updated•4 months ago
|
|
|
||
Updated•4 months ago
|
|
|
Assignee | |
Updated•4 months ago
|
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/9b51b5155d5e
POP3 should try to login with AUTH PLAIN or LOGIN before trying USERPASS. r=mkmelin
|
||
Updated•3 months ago
|
|
||
Comment 4•3 months ago
|
||
Comment on attachment 9402127 [details]
Bug 1897045 - POP3 should try to login with AUTH PLAIN or LOGIN before trying USERPASS. r=mkmelin
[Triage Comment]
Approved for beta (This has been on nightly for two weeks)
|
||
Comment 5•3 months ago
|
||
| bugherder uplift | ||
Thunderbird 127.0b4:
https://hg.mozilla.org/releases/comm-beta/rev/2596163a11e2
Description
•