Version: 1.9.7 (using KDE KDE 3.5.7) Installed from: Debian testing/unstable Packages OS: Linux If a KMAIL IMAP account (and propably also POP) is configured to use TLS encryption and the STARTTLS command fails, KMAIL goes on communicating via the unencrypted channel, possibly leaking password information. If a account is configured to use TLS and TLS fails or is suddenly unavailable this should terminate the connection and result in an error, otherwise a man-in-the-middle attacker could obtain the account credentials by setting up a fake service in which the STARTTLS command fails. Example communication recording: * OK somehost IMAP4 server ready 2 CAPABILITY * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS ANNOTATEMORE 2 OK Completed 3 STARTTLS 3 NO Error initializing TLS 4 LOGIN "user" "password" 4 OK User logged in 5 NAMESPACE [....]
From a quick look at the code, it seems that the POP and SMTP slaves handle the problem probably. Therefore it is a problem with the IMAP slave only.
Dear Bug Submitter, This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond. Thank you for helping us make KDE software even better for everyone!
Dear Bug Submitter, This is a reminder that this bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? Thank you for helping us make KDE software even better for everyone!
kio_imap4 doesn't exist anymore.