Version: 1.9.1 (using KDE KDE 3.5.2) Installed from: Compiled From Sources OS: Linux If using kwallet then kmail shouldn't cache the passwords. If the wallet is open, then kmail can re-read the passwords everytime it is needed. But when the wallet is closed, then probably it is closed for a reason, and the user doesn't want applications to use the passwords. Now if one closes the wallet, it is still possible to use kmail, because it has been cached the password. I think this is an "unsafe" or not expected behaviour. Kmail should always "ask" (of course from kwallet) for the passwords if it is needed.
That would mean KMail would not be able to check email during the night, when people aren't around to reopen the wallet. Not to mention it would be very annoying to type the wallet password every hour or two, without taking any action to initiate a wallet-open.
Well, if someone wants KMail to retrieve mails during the night, then one should not close the wallet. One only need to reopen a wallet if it is closed, but wallets doesn't get closed without a reason. Still, I think if a wallet is closed, then the user does not want to retrieve passwords from it... Again, users only has to type the password (the wallet's password) every hour or two if the wallet is closed.
The point being that KMail checks for mails in the background, in a periodic action, without user interaction. To make that action trigger a password dialog would be very, very annoying.
But there is no password dialog if the wallet is open! And if it is closed, it is closed, because the user does *not* want to retrieve the passwords. It is up to the user to choose: 1. open wallet, reachable passwords (KMail can retrieve mails during the night) 2. closed wallet, unreachable passwords (yes, there will be a password dialog, but this is normal; this would happen if the user would open a webpage in Konqueror with saved passwords, or connect with Kopete). Take Konqueror's functioning for an example: 1) go to a webpage with a password box, then Konqueror will ask for the wallet's password to fill in the password box, and will retrieve the password for the webpage 2) close the wallet 3) go to that webpage again, and Konqueror will ask for the wallet's password (again), because it did not cache the password (thank god). This is completely acceptable and sane functioning. And consider this situation: Let's say I have a friend. Not a too close friend, but I allow him to use my computer, after I've closed my wallets. He can surf the web, listen to some music, discover the wonderful world of Linux :) Since I'm using KMail constantly (yes, during the night too :), it is already running when my friend takes a seat in front of my computer. He wants to read his mails with KMail, and he has a configured account. Now there can be two situations: a) at present, KMail caches passwords. My friend hits the Check all mails button, and he downloads my mails too (despite I've closed my wallets). or b) KMail tries to open the wallet for my account's password. My friend presses the ESC key or the Cancel button for kwalletmanager, so KMail asks for my account's password. My friend doesn't know it, so he presses the Cancel button again (now for KMail). And after these, KMail asks for my friend's account's password, and he can read his mails, but only his mails. I think the latter is a more secure solution.
A guest account would be way more secure than a closed wallet. Anyway, I'm not opposed against making the level of security configurable in KMail if someone provides an appropriate patch.
Unfortunately, I have no experience neither developing in C++ nor in the QT/KDE api. My last wish is only to please explain me why is the mail sending functionality is not working the same way as the mail checking (the mail downloading). If I have configured a password for my smtp service, then KMail always tries to get the password from KWallet, and it doesn't cache the smtp password. Why is KMail caches the password for pop/imap accounts and not for the smtp accounts?
If I remember correctly then with SMTP it isn't possible to get the password from the password dialog. Therefore the SMTP password cannot be cached by KMail. Apart from that both functionalities were probably developed by different developers and therefore they work differently.
*** Bug 131610 has been marked as a duplicate of this bug. ***
As long as this does not work "safely" closing kwallet should issue a warning "Passwords are cached even if the application and kwalletmanager are closed, please log out to remove cached passwords"
Thank you for taking the time to file a bug report. KMail2 was released in 2011, and the entire code base went through significant changes. We are currently in the process of porting to Qt5 and KF5. It is unlikely that these bugs are still valid in KMail2. We welcome you to try out KMail 2 with the KDE 4.14 release and give your feedback.