The setup wizard in kmail defaults to unencrypted connections. When the user clicks on "Check Mail" after the setup, the username and password are sent in the clear. I have not found a way to tell kmail in the manual configuration to use implicit TLS or STARTTLS. What is even worse: assuming you know about that and try to configure STARTTLS directly after the setup. In this case it happens that future connections still happen unencrypted, even though the UI tells otherwise. I clicked on "Restart" in the UI several times and also restarted Akonadi and KMail. In this case, I found that POP3 was once even reset back to "Unencrypted". After few more tries it seems to have settled down to use STARTTLS. I am using NixOS with kmail2 5.13.3 (19.12.3).
This is also related to https://bugs.kde.org/show_bug.cgi?id=423423 as the POP3 setup will not set "Server requires authentication" per default.
Related: https://bugs.kde.org/show_bug.cgi?id=389427 (but for IMAP)
Git commit bd64ab29116aa7318fdee7f95878ff97580162f2 by Laurent Montel. Committed on 28/07/2020 at 11:35. Pushed by mlaurent into branch 'release/20.08'. Fix Bug 423426 - POP3 setup wizard defaults to unencrypted connections Make sure to use TLS when we create it M +1 -1 resources/pop3/wizard/pop3wizard.es https://invent.kde.org/pim/kdepim-runtime/commit/bd64ab29116aa7318fdee7f95878ff97580162f2
Git commit a64d80e523edce7d3d59c26834973418fae042f6 by Laurent Montel. Committed on 28/07/2020 at 11:52. Pushed by mlaurent into branch 'release/20.08'. Show info about encryption/authentication settings M +15 -3 src/transport.cpp M +2 -0 src/transport.h https://invent.kde.org/pim/kmail-account-wizard/commit/a64d80e523edce7d3d59c26834973418fae042f6
Laurent should this be marked as fixed? One of your commits says "Fix 423426" but this is not marked as fixed yet.
Good question. I will investigate if I fixed all bugs here.
It is a CVE assigned for this bugreport: CVE-2020-15954. https://nostarttls.secvuln.info/ sees this as fixed in 20.08. Debian follows the bugreport and the information of the CVE and maked that to be closed: https://security-tracker.debian.org/tracker/CVE-2020-15954
This was rechecked from the NO STARTTLS team with the current version 5.18.3 and this bug still present: "I have retested the most recent release version 5.18.3 (21.08.3) on Arch Linux for the POP3 issue, but it seems that the issue is still present there. This includes the default of plain text and the config showing encrypted even though KMail still connects in plaintext (CVE-2020-15954)."
Ok I need to fix wizard pop3 . I work on it
Git commit 35447bd04e8c12afac524e1c4556ef3db088e014 by Laurent Montel. Committed on 12/11/2021 at 12:09. Pushed by mlaurent into branch 'release/21.12'. Fix POP3 setup wizard defaults to unencrypted connections. Now I check encrypt support when I create resource. So if resource support starttls it will set option for it. FIXED-IN: 5.19.0 M +61 -12 resources/pop3/wizard/pop3wizard.es https://invent.kde.org/pim/kdepim-runtime/commit/35447bd04e8c12afac524e1c4556ef3db088e014