Closed Bug 543618 Opened 11 years ago Closed 8 years ago
Check whether server offers SSL and encrypted passwords
We should have an automatic check that checks which ports are open and whether a server provides SSL/TLS on a special SSL port, or STARTTLS on the normal port, and whether it allows encrypted passwords via AUTH CRAM-MD5. The implementation will be protocol-specific for IMAP, POP3 and SMTP. We already have an chrome-JS-based implementation in TB, we might be able to reuse that, if we can use Mozilla.
What does the test help with? It prevents us from adding a config which is less secure than possible. That, in turn, protects our users from password and mail sniffing.
(And it free us reviewers from having to do this check manually with openssl and netcat and entering protocol commands manually.) Auth checks are described on <https://wiki.mozilla.org/MailServerList#Secure_Auth>
> We already have an chrome-JS-based implementation in TB, we might be > able to reuse that, if we can use Mozilla. Shouldn't be hard with xpcshell. The JS code is designed for that.
The guessConfig() function never calls the callback. This might be because a) the nsISocket even queue works different than the normal Necko channels, or b) there's an uncatched exception somewhere.
A cheaper way would be to do, echo "EHLO foo" | netcat hostname 587 | grep "STARTTLS" echo "1 capability" | netcat hostname 143 | grep "STARTTLS" echo "CAPA" | netcat hostname 110 | grep "STLS" openssl s_client -connect hostname:587 -starttls smtp (and similar), and openssl s_client -connect hostname:995/993/465, wait until SMTP: "250 .*" / POP: "+OK .*" / IMAP: "\* OK .*", IMAP: "1 capability" / POP: "CAPA" / SMTP: "EHLO foo" then grep "AUTH.*PLAIN" or "AUTH.*LOGIN" or "AUTH.*CRAM-MD5". I still prefer to reuse the Mozilla code.
This has been fixed in https://github.com/mozilla/ispdb/pull/7
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Component: ispdb → ISPDB Server
Product: Mozilla Messaging → Webtools
You need to log in before you can comment on or make changes to this bug.