Bug 423426

Summary: POP3 setup wizard defaults to unencrypted connections.
Product: [Applications] kmail2 Reporter: Damian Poddebniak <93s4m32gd2ab8ax6>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: aacid, asturm, lbeltrame, montel, sknauss
Priority: NOR    
Version: 5.16.3   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: https://invent.kde.org/pim/kdepim-runtime/commit/35447bd04e8c12afac524e1c4556ef3db088e014 Version Fixed In: 5.19.0
Sentry Crash Report:

Description Damian Poddebniak 2020-06-24 09:08:47 UTC 
The setup wizard in kmail defaults to unencrypted connections. When the user clicks on "Check Mail" after the setup, the username and password are sent in the clear. I have not found a way to tell kmail in the manual configuration to use implicit TLS or STARTTLS. 

What is even worse: assuming you know about that and try to configure STARTTLS directly after the setup. In this case it happens that future connections still happen unencrypted, even though the UI tells otherwise. I clicked on "Restart" in the UI several times and also restarted Akonadi and KMail. In this case, I found that POP3 was once even reset back to "Unencrypted". After few more tries it seems to have settled down to use STARTTLS.

I am using NixOS with kmail2 5.13.3 (19.12.3).
Comment 1 Damian Poddebniak 2020-06-24 09:13:44 UTC 
This is also related to https://bugs.kde.org/show_bug.cgi?id=423423 as the POP3 setup will not set "Server requires authentication" per default.
Comment 2 Damian Poddebniak 2020-06-24 12:32:18 UTC 
Related: https://bugs.kde.org/show_bug.cgi?id=389427 (but for IMAP)
Comment 3 Laurent Montel 2020-07-28 11:35:59 UTC 
Git commit bd64ab29116aa7318fdee7f95878ff97580162f2 by Laurent Montel.
Committed on 28/07/2020 at 11:35.
Pushed by mlaurent into branch 'release/20.08'.

Fix Bug 423426 - POP3 setup wizard defaults to unencrypted connections

Make sure to use TLS when we create it

M  +1    -1    resources/pop3/wizard/pop3wizard.es

https://invent.kde.org/pim/kdepim-runtime/commit/bd64ab29116aa7318fdee7f95878ff97580162f2
Comment 4 Laurent Montel 2020-07-28 11:53:02 UTC 
Git commit a64d80e523edce7d3d59c26834973418fae042f6 by Laurent Montel.
Committed on 28/07/2020 at 11:52.
Pushed by mlaurent into branch 'release/20.08'.

Show info about encryption/authentication settings

M  +15   -3    src/transport.cpp
M  +2    -0    src/transport.h

https://invent.kde.org/pim/kmail-account-wizard/commit/a64d80e523edce7d3d59c26834973418fae042f6
Comment 5 Albert Astals Cid 2021-10-18 20:35:03 UTC 
Laurent should this be marked as fixed?

One of your commits says "Fix 423426" but this is not marked as fixed yet.
Comment 6 Laurent Montel 2021-10-19 08:27:07 UTC 
Good question. I will investigate if I fixed all bugs here.
Comment 7 Sandro Knauß 2021-10-27 15:02:48 UTC 
It is a CVE assigned for this bugreport: CVE-2020-15954.
https://nostarttls.secvuln.info/ sees this as fixed in 20.08. Debian follows the bugreport and the information of the CVE and maked that to be closed: https://security-tracker.debian.org/tracker/CVE-2020-15954
Comment 8 Sandro Knauß 2021-11-11 15:00:31 UTC 
This was rechecked from the NO STARTTLS team with the current version 5.18.3 and this bug still present:

"I have retested the most recent release version 5.18.3 (21.08.3) on Arch 
Linux for the POP3 issue, but it seems that the issue is still present 
there. This includes the default of plain text and the config showing 
encrypted even though KMail still connects in plaintext 
(CVE-2020-15954)."
Comment 9 Laurent Montel 2021-11-12 07:19:12 UTC 
Ok I need to fix wizard pop3 .
I work on it
Comment 10 Laurent Montel 2021-11-12 12:10:42 UTC 
Git commit 35447bd04e8c12afac524e1c4556ef3db088e014 by Laurent Montel.
Committed on 12/11/2021 at 12:09.
Pushed by mlaurent into branch 'release/21.12'.

Fix POP3 setup wizard defaults to unencrypted connections.

Now I check encrypt support when I create resource.
So if resource support starttls it will set option for it.
FIXED-IN: 5.19.0

M  +61   -12   resources/pop3/wizard/pop3wizard.es

https://invent.kde.org/pim/kdepim-runtime/commit/35447bd04e8c12afac524e1c4556ef3db088e014