Closed Bug 543618 Opened 14 years ago Closed 12 years ago

Check whether server offers SSL and encrypted passwords

Categories

(Webtools :: ISPDB Server, defect)

Product:
Webtools
Component:
ISPDB Server
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: BenB, Unassigned)

References

Details

Attachments

(1 file, 1 obsolete file)

Use Thunderbird's guessing and server probing functions from the commandline, v2
6.31 KB, application/javascript
Details 
We should have an automatic check that checks which ports are open and whether a server provides SSL/TLS on a special SSL port, or STARTTLS on the normal port, and whether it allows encrypted passwords via AUTH CRAM-MD5.

The implementation will be protocol-specific for IMAP, POP3 and SMTP. We already have an chrome-JS-based implementation in TB, we might be able to reuse that, if we can use Mozilla.
What does the test help with? It prevents us from adding a config which is less secure than possible. That, in turn, protects our users from password and mail sniffing.
(And it free us reviewers from having to do this check manually with openssl and netcat and entering protocol commands manually.)

Auth checks are described on <https://wiki.mozilla.org/MailServerList#Secure_Auth>
> We already have an chrome-JS-based implementation in TB, we might be
> able to reuse that, if we can use Mozilla.

Shouldn't be hard with xpcshell. The JS code is designed for that.
This is an xpcshell script which can use the same JavaScript code that Thunderbird's Account Wizard uses to
a) guess the config or
b) to probe a given server hostname for SSL and authentication schemes.

It's just a stub that can only fetch the config from the ISP DB, but that's already a good start, because it costed me all day to just load the JS modules and allow async network calls in xpcshell.
The guessConfig() function never calls the callback. This might be because
a) the nsISocket even queue works different than the normal Necko channels, or 
b) there's an uncatched exception somewhere.
A cheaper way would be to do,
echo "EHLO foo" | netcat hostname 587 | grep "STARTTLS"
echo "1 capability" | netcat hostname 143 | grep "STARTTLS"
echo "CAPA" | netcat hostname 110 | grep "STLS"

openssl s_client -connect hostname:587 -starttls smtp (and similar), and openssl s_client -connect hostname:995/993/465, wait until SMTP: "250 .*" / POP: "+OK .*" / IMAP: "\* OK .*", IMAP: "1 capability" / POP: "CAPA" / SMTP: "EHLO foo" then grep "AUTH.*PLAIN" or "AUTH.*LOGIN" or "AUTH.*CRAM-MD5".

I still prefer to reuse the Mozilla code.
Blocks: 551492
This has been fixed in https://github.com/mozilla/ispdb/pull/7
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Component: ispdb → ISPDB Server
Product: Mozilla Messaging → Webtools
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: