The STARTTLS option of SMTP is ignored, when "Server requires authentication" is not checked. In this case kmail will send any mail in cleartext. Tested with kmail2 5.13.3 (19.12.3).
May I ask for an update? To be clear: we think that this is a securtiy vulnerability.
(In reply to Damian Poddebniak from comment #1) > May I ask for an update? To be clear: we think that this is a securtiy > vulnerability. "We" ? who is "we" ?
Ah sorry :-) I wrote that comment without thinking too much. We (me and some colleagues) performed a STARTTLS test some months ago, reported multiple vulnerabilities and are now in the process to consolidate the still open bugs.
The vulnerable is now published under https://nostarttls.secvuln.info/
Git commit 38a4c09427f3fdc04f9893f8eda3f6807d9a3203 by Volker Krause. Committed on 21/09/2021 at 16:18. Pushed by knauss into branch 'master'. Move establishing the TLS connection to Session This means we now also enable TLS when not having a LoginJob, ie. on servers not requiring authentication. Doing the same for STARTTLS is the next step then. M +0 -2 src/loginjob.cpp M +1 -11 src/session.cpp M +11 -2 src/sessionthread.cpp M +2 -0 src/sessionthread_p.h https://invent.kde.org/pim/ksmtp/commit/38a4c09427f3fdc04f9893f8eda3f6807d9a3203
A possibly relevant merge request was started @ https://invent.kde.org/pim/ksmtp/-/merge_requests/8
Git commit 60f73c69758fe40a027a8e7402127d085f18545a by Volker Krause. Committed on 23/09/2021 at 16:02. Pushed by knauss into branch 'master'. Move STARTTLS setup from LoginJob to Session This is now done immediately after opening the connection, independent of whether there is a LoginJob at all. M +5 -28 src/loginjob.cpp M +15 -2 src/session.cpp M +1 -0 src/session_p.h https://invent.kde.org/pim/ksmtp/commit/60f73c69758fe40a027a8e7402127d085f18545a