Bug 423423

Summary: STARTTLS is ignored when "Server requires authentication" not checked in UI
Product: [Applications] kmail2 Reporter: Damian Poddebniak <93s4m32gd2ab8ax6>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: major CC: montel, rdieter, sknauss
Priority: NOR    
Version: 5.13.3   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: https://invent.kde.org/pim/ksmtp/commit/60f73c69758fe40a027a8e7402127d085f18545a Version Fixed In:
Sentry Crash Report:

Description Damian Poddebniak 2020-06-24 08:07:22 UTC 
The STARTTLS option of SMTP is ignored, when "Server requires authentication" is not checked. In this case kmail will send any mail in cleartext.

Tested with kmail2 5.13.3 (19.12.3).
Comment 1 Damian Poddebniak 2021-08-02 14:22:28 UTC 
May I ask for an update? To be clear: we think that this is a securtiy vulnerability.
Comment 2 Laurent Montel 2021-08-02 14:46:06 UTC 
(In reply to Damian Poddebniak from comment #1)
> May I ask for an update? To be clear: we think that this is a securtiy
> vulnerability.


"We" ? who is "we" ?
Comment 3 Damian Poddebniak 2021-08-02 14:50:35 UTC 
Ah sorry :-) I wrote that comment without thinking too much. We (me and some colleagues) performed a STARTTLS test some months ago, reported multiple vulnerabilities and are now in the process to consolidate the still open bugs.
Comment 4 Sandro Knauß 2021-09-10 19:22:37 UTC 
The vulnerable is now published under https://nostarttls.secvuln.info/
Comment 5 Volker Krause 2021-09-21 17:26:49 UTC 
Git commit 38a4c09427f3fdc04f9893f8eda3f6807d9a3203 by Volker Krause.
Committed on 21/09/2021 at 16:18.
Pushed by knauss into branch 'master'.

Move establishing the TLS connection to Session

This means we now also enable TLS when not having a LoginJob, ie. on
servers not requiring authentication.

Doing the same for STARTTLS is the next step then.

M  +0    -2    src/loginjob.cpp
M  +1    -11   src/session.cpp
M  +11   -2    src/sessionthread.cpp
M  +2    -0    src/sessionthread_p.h

https://invent.kde.org/pim/ksmtp/commit/38a4c09427f3fdc04f9893f8eda3f6807d9a3203
Comment 6 Bug Janitor Service 2021-09-22 15:31:08 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/pim/ksmtp/-/merge_requests/8
Comment 7 Volker Krause 2021-09-23 19:39:38 UTC 
Git commit 60f73c69758fe40a027a8e7402127d085f18545a by Volker Krause.
Committed on 23/09/2021 at 16:02.
Pushed by knauss into branch 'master'.

Move STARTTLS setup from LoginJob to Session

This is now done immediately after opening the connection, independent
of whether there is a LoginJob at all.

M  +5    -28   src/loginjob.cpp
M  +15   -2    src/session.cpp
M  +1    -0    src/session_p.h

https://invent.kde.org/pim/ksmtp/commit/60f73c69758fe40a027a8e7402127d085f18545a