270483 - Use TLS by default for SMTP, IMAP, POP3

Status: NEW

(SeaMonkey :: MailNews: Account Configuration, enhancement)

Description

[Josh Kelley]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Is there any reason why Mozilla doesn't default to using TLS for mail when
available?  Changing the default for "Use secure connection" from "No" to "TLS,
if available" would make Mozilla possibly more secure (no plaintext passwords or
emails between the client and the server, for servers that support it) and
should have little, if any, impact on compability.

This change could be made for SMTP now; for IMAP and POP3, it would have to
await bugs 60377 and 218902, respectively.

Reproducible: Always
Steps to Reproduce:
1. Create a new account.
Actual Results:  
Thunderbird / Mozilla defaults to sending cleartext passwords.

Expected Results:  
Thunderbird / Mozilla should default to using encryption if available.

Comment 1

[Christian Eyrich]

I myself have no objections using TLS if available as default.
Establishing an encrypted link and sending a mail over it does take longer. That
could be the only reason not to use this.

Comment 2

[Mike Cowperthwaite]

In TB 1.0 and current 1.8a6 builds, it appears that this change has been made 
for SMTP -- I see "TLS, if available" selected by default when I add a new SMTP 
server.

xref bug 97161.

Comment 3

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 4

[Matthew Elvey]

Bug 60377 has been closed.  The 59th and 60th comment on that bug are valuable reading.

Comment 5

[Olaf van der Spek]

I'd like to see TLS enabled by default too.

Comment 6

[rsx11m]

While I definitely agree with having the maximum level of security available by default, the larger context of this is the initial setup of an account with the account wizard. See bug 221030 (Thunderbird) and bug 80919 (Mozilla Suite / SeaMonkey) on this. The underlying problem also involves identifying the correct port and possible other encryption support (SSL) if TLS is not available.

(In reply to comment #2)
> In TB 1.0 and current 1.8a6 builds, it appears that this change has been made 
> for SMTP -- I see "TLS, if available" selected by default when I add a new SMTP 
> server.

This is the case for the user interface in the SMTP account settings dialog, but I think that the account wizard is still setting it up on port 25 without any encryption.

(In reply to comment #4)
> Bug 60377 has been closed.  The 59th and 60th comment on that bug are valuable
> reading.

This has been 2 years, no indication in that bug report though whether or not this IMAP/TLS issue has been resolved.