Closed
Bug 543618
Opened 16 years ago
Closed 13 years ago
Check whether server offers SSL and encrypted passwords
Categories
(Webtools :: ISPDB Server, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: BenB, Unassigned)
References
Details
Attachments
(1 file, 1 obsolete file)
|
6.31 KB,
application/javascript
|
Details |
We should have an automatic check that checks which ports are open and whether a server provides SSL/TLS on a special SSL port, or STARTTLS on the normal port, and whether it allows encrypted passwords via AUTH CRAM-MD5.
The implementation will be protocol-specific for IMAP, POP3 and SMTP. We already have an chrome-JS-based implementation in TB, we might be able to reuse that, if we can use Mozilla.
|
Reporter | |
Comment 1•16 years ago
|
||
What does the test help with? It prevents us from adding a config which is less secure than possible. That, in turn, protects our users from password and mail sniffing.
|
|
Reporter | |
Comment 2•16 years ago
|
||
(And it free us reviewers from having to do this check manually with openssl and netcat and entering protocol commands manually.)
Auth checks are described on <https://wiki.mozilla.org/MailServerList#Secure_Auth>
|
|
Reporter | |
Comment 3•16 years ago
|
||
> We already have an chrome-JS-based implementation in TB, we might be
> able to reuse that, if we can use Mozilla.
Shouldn't be hard with xpcshell. The JS code is designed for that.
|
|
Reporter | |
Comment 4•16 years ago
|
||
This is an xpcshell script which can use the same JavaScript code that Thunderbird's Account Wizard uses to
a) guess the config or
b) to probe a given server hostname for SSL and authentication schemes.
It's just a stub that can only fetch the config from the ISP DB, but that's already a good start, because it costed me all day to just load the JS modules and allow async network calls in xpcshell.
|
|
Reporter | |
Comment 5•16 years ago
|
||
Attachment #427368 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 6•16 years ago
|
||
The guessConfig() function never calls the callback. This might be because
a) the nsISocket even queue works different than the normal Necko channels, or
b) there's an uncatched exception somewhere.
|
|
Reporter | |
Comment 7•16 years ago
|
||
A cheaper way would be to do,
echo "EHLO foo" | netcat hostname 587 | grep "STARTTLS"
echo "1 capability" | netcat hostname 143 | grep "STARTTLS"
echo "CAPA" | netcat hostname 110 | grep "STLS"
openssl s_client -connect hostname:587 -starttls smtp (and similar), and openssl s_client -connect hostname:995/993/465, wait until SMTP: "250 .*" / POP: "+OK .*" / IMAP: "\* OK .*", IMAP: "1 capability" / POP: "CAPA" / SMTP: "EHLO foo" then grep "AUTH.*PLAIN" or "AUTH.*LOGIN" or "AUTH.*CRAM-MD5".
I still prefer to reuse the Mozilla code.
|
||
Comment 8•13 years ago
|
||
This has been fixed in https://github.com/mozilla/ispdb/pull/7
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•12 years ago
|
Component: ispdb → ISPDB Server
Product: Mozilla Messaging → Webtools
You need to log in
before you can comment on or make changes to this bug.
Description
•