Open Bug 647046 Opened 14 years ago Updated 4 months ago

[autoconfig] guess: first try email address as username

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Type:
defect

Tracking

(Not tracked)

People

(Reporter: BenB, Unassigned)

Details

(Whiteboard: duptome)

Attachments

(1 file)

autoconfig-use-email-address-as-default-username.patch
5.47 KB, patch
BenB
: review-
Details | Diff | Splinter Review
When guessing a config, we first try the local part of the email address as IMAP/POP3 username, and if a login using that fails, we try using the full email address as username. -- If I'm reading the code right. We should change this to try the full email address first. It contains more information, and all servers *can* support that. Many servers *do* converge to support, actually. Also, RFC 6186, sec 4, para. 4 mandates (MUST) that. The relevant code is verifyConfig.js (not guessConfig.js), and the calling code.
Whiteboard: duptome
RFC 6186 requires that the email address is first used as the username: Once a suitable connection has been made, and any required protection set up, the MUA will typically need to authenticate with the IMAP, POP3, or SMTP (submission) server. The details of that are governed by the specific protocols themselves, though often times a "user identifier" is required for some form of user/password authentication. When a user identifier is required, MUAs MUST first use the full email address provided by the user, and if that results in an authentication failure, SHOULD fall back to using the "local- part" extracted from the email address. This is in line with the guidance outlined in Section 5. If both these user identifiers result in authentication failure, the MUA SHOULD prompt the user for a valid identifier. verifyConfig tries the username first and if the username is not equal to the email address, tries the email address as well. It would be possible to detect whether the username is an email address and try both the email address and the local part of the email address as the username. However, this is non-intuitive and may leak private data. Therefore, verifyConfig should only try the username displayed in the wizard.
Comment on attachment 8542409 [details] [diff] [review] autoconfig-use-email-address-as-default-username.patch Setting f? so people see this.
Attachment #8542409 - Flags: feedback?(mkmelin+mozilla)
Comment on attachment 8542409 [details] [diff] [review] autoconfig-use-email-address-as-default-username.patch Review of attachment 8542409 [details] [diff] [review]: ----------------------------------------------------------------- Matthias: sorry for the awful delay on this. Given that the RFC states we SHOULD fall back to local-part, I think we should do that. Why do you think that would leak information? non-intuitive or not, it's pretty common I think.
Attachment #8542409 - Flags: feedback?(mkmelin+mozilla)
(In reply to Magnus Melin [:mkmelin] from comment #3) > Comment on attachment 8542409 [details] [diff] [review] > autoconfig-use-email-address-as-default-username.patch > > Review of attachment 8542409 [details] [diff] [review]: > ----------------------------------------------------------------- > > Matthias: sorry for the awful delay on this. > > Given that the RFC states we SHOULD fall back to local-part, I think we > should do that. Why do you think that would leak information? non-intuitive > or not, it's pretty common I think.
Flags: needinfo?(ott)
Comment on attachment 8542409 [details] [diff] [review] autoconfig-use-email-address-as-default-username.patch As stated in the initial description, I agree we should try email address first, then try only username. The patch doesn't do that, though. It never tries the username only. That would mean that we fail to log in to servers that worked so far. That needs to be fixed. The emailWizard.js parts of the patch are fine with me. The verifyConfig.js part is not. ---- re leak: There is no leak of information. We derive the username from the email address. Even if the config contains the username, it is supposed to be for that server. Finally, this is the server that's supposed to handle the user's email. Once we're here, the user has already approved that the server is fine. Sending the username there is not an issue.
Flags: needinfo?(ott)
Attachment #8542409 - Flags: review-
Also, need to adapt checkIncomingServerAlreadyExists()
and checkOutgoingServerAlreadyExists(), both in createAccountInBackend.js
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: