Passwords are saved for a hostname / IP, but not for the port

RESOLVED DUPLICATE of bug 41929

Status

Thunderbird
Security
--
major
RESOLVED DUPLICATE of bug 41929
8 years ago
7 years ago

People

(Reporter: onlywebmail, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
Build Identifier: 

Hello,
it seems, that passwords used for SMTP (sending mails) are saved in a way, that they belong to the hostname or IP of the SMTP server, but without taking into account the PORT that is used!

That means, 10.20.30.40:993 will save to the same slot as 10.20.30.40:994 or localhost:120 to the same as localhost:500

This is a problem in two areas:

1) When you have running more that one SMTP server on a host.
2) When you are running TB over a ssh-tunnel and access the server over ports on localhost that are tunneled to different serves.

I know many people who run TB over ssh-tunnels!
And even two, who use SMTP servers on different ports of the same host.

Therefor, i would like to see this bug fixed.

It´s a bug because it requires constant re-typing of passwords while switching between mail-accounts.

Thank you.


Reproducible: Always

Steps to Reproduce:
1. Use two SMTP-Servers running on the same host using different ports or use a ssh-tunnel to use "localhost" and different ports to tunnel to different SMTP-servers.
2. Write a mail on both servers, getting asked for the passwords and save them
3. Switch back to the first server and send a new mail - you will be asked again for the password. Switch again and this happens again - endlessly
Actual Results:  
Passwords will not be saved correctly

Expected Results:  
Passwords should be saved correctly, so that you don´t need to type them in all of the say
Following is an entry in Mozilla/Sm1's xxxxx.s file.
> smtp://yatter.one%40gmail.com@smtp.gmail.com
> \=username=\
> ~
> *\=password=\
> ~d2FkYTMyMTY=
> .
I believe new password manager also uses similar key(protocol + username + hostname), because multiple SMTP accounts(different username) on same server, same or different port, works very well.

Same server name(same IP address), different port, *SAME* username and different password(or no username=no SMTP-AUTH)?
If so, it's known/old issue, and known workaround is:
  1. Use server name for first SMTP account
  2. Use IP address for second SMTP account
  3. Define entries(local hostname) in hosts file,
     and define other SMTP accounts with the local hostname.
  I dont't know 2/3 works with SSL or not.

Why so many SMTP servers with such characteristics are required?
Many of SMTP servers allow mail addresses of other provider in From:, if SMTP AUTH is properly done. Your SMTP servers allow assigend mail address only as From:? Or "sender domain authentication" is always mandatory in your environment? Or you need to bypass company's security policy using SSL tunnel?
Following is entry name(key) in xxxx.s of Sm1. 
> 192.168.0.1:80 (Aterm)
> aterm:80 (Aterm)       "aterm" is placed in my hosts with 192.168.0.1
192.168.0.1 is ADSL modem's IP address. Port=80 is for management panel.
I believe key of (protocol + username + hostname + port) is reasonable request. But, if it's forced on SMTP account, user is forced to enter password upon port number change from 25 to 587 due to Oubound Port 25 Blocking and upon port number change by change of None<->StartTLS<->SSL/TLS. I think port# use in key for SMTP/POP3/IMAP should be optional.
Component: General → Security
QA Contact: general → thunderbird

Comment 3

8 years ago
This bug is probably a duplicate of bug 41929.
Essentially, the problem is that username/hostname is the identifier for servers (even smtp servers), so port name doesn't factor into it. Basically, bug 41929
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 41929
You need to log in before you can comment on or make changes to this bug.