Master Password not entered - yet mail can be sent?

RESOLVED DUPLICATE of bug 318697

Status

Thunderbird
Security
RESOLVED DUPLICATE of bug 318697
11 years ago
9 years ago

People

(Reporter: B. Switzer, Assigned: dveditz)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: 1.5.0.10 (20070221)

To fetch mail, I have to enter my master password.

Shouldn't I have to if I send mail too? Particularly if authentication is required to connect to the smtp server! No password is asked for.

e.g. Hit a mailto link in a web page, or just send before retrieving. Off it goes. If I then retrieve mail - _then_ it asks for the master password.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Assignee)

Comment 1

11 years ago
If you didn't need to enter the master password then the SMTP server did not ask for a password. Many ISPs seem to be set up this way for customers accessing the server from a company-run IP address (dial-up or broadband). They use a password for external IP addresses to allow traveling customers to send mail while preventing spam relaying.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

11 years ago
You may be missing the point ...

The (security) point of having a master password is so nobody can fetch your mail. By the same token, nobody should be allowed to send as you without having entered a password.

The fact that someone can read your already fetched mail without the master password, well, serves you right for walking away without locking the computer.

Which, although is an argument for not having a master password at all, if you need one to fetch mail, you should need one to send it too.
(Reporter)

Updated

11 years ago
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
(Assignee)

Comment 3

11 years ago
Er, no -- the point of the Master Password is to securely lock your saved passwords (and certificates, but that doesn't come into play here). If nothing asks for a password then Thunderbird doesn't need to ask for the Master Password to unlock it.

Note that unsigned mail is completely insecure by design -- anyone anywhere can send mail claiming to be from you. You probably get virus/spam bounces rejecting mail you supposedly sent to someone else's mail account that proves that much.

You can bug your ISP to password protect their SMTP server.

You can add your voice to the people asking for password-protected local profiles, but that's a different bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → INVALID
Resolution: INVALID → DUPLICATE
Duplicate of bug: 318697
You need to log in before you can comment on or make changes to this bug.