Summary: | SMTP password(s) should be optionally cached | ||
---|---|---|---|
Product: | [Applications] kdepimlibs | Reporter: | Malte S. Stretz <mss> |
Component: | mailtransport | Assignee: | Tom Albers <toma> |
Status: | RESOLVED INTENTIONAL | ||
Severity: | wishlist | CC: | jtamate, kdepim-bugs, toma |
Priority: | NOR | Keywords: | triaged |
Version: | 4.1 | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
Malte S. Stretz
2008-11-09 13:50:46 UTC
This is a whishlist, so is up to developers to implement it or not. But a general advice from the security point of view is to block the session when you go for a coffee, that way you can increase the inactivity time of kwallet and not be asked for the password every time you send a mail. Also, you could configure kwallet to allow free access to kmail, but to ask a password for every other application (see kwallet preferences). Sending a mail in your name could be as bad as knowing all your passwords, because: * you could send a p0rn mail to your boss. * you could send an email to the competitors. * ..... Best Regards. Access to my mail account only is not as bad as access to all my passwords. And with the same argument you could say that access to my IMAP account (which includes a lot of personal information which can as well be used for a joe-job) is as bad as access to the SMTP as well so IMAP connections should be closed with the wallet. Apart from that does KMail currently make the complete option "Close when unused for N seconds" completely useless for me. I admit though that locking the screen is the way to go, but then the whole option is useless as well :) And nope, you can't configure KMail to have access to the wallet without a password while everybody else requires a password. That's technically impossible. All you can decide is whether an application has access at all. KWallet gives you the possibility to give access to certain applications. I think that covers most of this wish. It is far better than applications caching passwords. If KWallet does not furfill your wish, please report a bug against it with a clear idea how to solve it. thanks Jaime for your reply. Well, thanks for the reply. As I wrote before, I don't really see the difference between caching the IMAP password (or using a persistent connection) and caching the SMTP password. Hmmm... would you accept a patch for persistent SMTP connections? :) KWallet only allows you to completely disallow applications from accessing the wallet; once allowed eg. KWalletManager, it has access (or the user can simply change the config to make it allowed). Everything else is technically impossible and I doubt I can file a sane report against KWallet for this. But in the end its you decision, so I've got to work around KMails shortcomings. I can't just work around the problem by using sendmail because I've gotta save the password in plain on the harddisk then, making the treatment for the symptom worse than it was without it. I guess I'll just disable the "Close when unused for N seconds" feature in KWallet again. That's unfortunate because I lose some security. But typing in the wallet password all the time just gets on my nerves. And is actually less secure than caching the password because each time I type the password somebody could peek above my shoulder while getting his hands on the password stored in RAM is a lot harder. Your wish is valid, but we differ about where to fix it. I think the password handling belongs to KWallet, so if there is an option that you miss in KWallet it should be fixed up there. It is not up to each and every application to reimplement password handling. So I really would like you to think about an option for KWallet that solves it for you. I know you can have different wallets in there, but I don't know if that could solve it. There is some bluetooth proximity software, which locks the screen when you move away from your computer, maybe that's a nice tip too. |