423423 2020-06-24 08:07:22 +0000 STARTTLS is ignored when "Server requires authentication" not checked in UI 2021-09-23 19:39:38 +0000 1 1 2 Applications kmail2 general 5.13.3 Other Linux RESOLVED FIXED NOR major --- 1 93s4m32gd2ab8ax6 pim-bugs-null montel rdieter sknauss https://invent.kde.org/pim/ksmtp/commit/60f73c69758fe40a027a8e7402127d085f18545a 0 oldest_to_newest 1939459 0 93s4m32gd2ab8ax6 2020-06-24 08:07:22 +0000 The STARTTLS option of SMTP is ignored, when "Server requires authentication" is not checked. In this case kmail will send any mail in cleartext. Tested with kmail2 5.13.3 (19.12.3). 2050389 1 93s4m32gd2ab8ax6 2021-08-02 14:22:28 +0000 May I ask for an update? To be clear: we think that this is a securtiy vulnerability. 2050401 2 montel 2021-08-02 14:46:06 +0000 (In reply to Damian Poddebniak from comment #1) > May I ask for an update? To be clear: we think that this is a securtiy > vulnerability. "We" ? who is "we" ? 2050405 3 93s4m32gd2ab8ax6 2021-08-02 14:50:35 +0000 Ah sorry :-) I wrote that comment without thinking too much. We (me and some colleagues) performed a STARTTLS test some months ago, reported multiple vulnerabilities and are now in the process to consolidate the still open bugs. 2060249 4 sknauss 2021-09-10 19:22:37 +0000 The vulnerable is now published under https://nostarttls.secvuln.info/ 2062788 5 vkrause 2021-09-21 17:26:49 +0000 Git commit 38a4c09427f3fdc04f9893f8eda3f6807d9a3203 by Volker Krause. Committed on 21/09/2021 at 16:18. Pushed by knauss into branch 'master'. Move establishing the TLS connection to Session This means we now also enable TLS when not having a LoginJob, ie. on servers not requiring authentication. Doing the same for STARTTLS is the next step then. M +0 -2 src/loginjob.cpp M +1 -11 src/session.cpp M +11 -2 src/sessionthread.cpp M +2 -0 src/sessionthread_p.h https://invent.kde.org/pim/ksmtp/commit/38a4c09427f3fdc04f9893f8eda3f6807d9a3203 2063137 6 bug-janitor 2021-09-22 15:31:08 +0000 A possibly relevant merge request was started @ https://invent.kde.org/pim/ksmtp/-/merge_requests/8 2063484 7 vkrause 2021-09-23 19:39:38 +0000 Git commit 60f73c69758fe40a027a8e7402127d085f18545a by Volker Krause. Committed on 23/09/2021 at 16:02. Pushed by knauss into branch 'master'. Move STARTTLS setup from LoginJob to Session This is now done immediately after opening the connection, independent of whether there is a LoginJob at all. M +5 -28 src/loginjob.cpp M +15 -2 src/session.cpp M +1 -0 src/session_p.h https://invent.kde.org/pim/ksmtp/commit/60f73c69758fe40a027a8e7402127d085f18545a