We have moved to a new Sailfish OS Forum. Please start new discussions there.
9

[feature request] IMAP always uses PLAIN authentication [released]

asked 2014-02-28 12:56:09 +0200

kelvan gravatar image

updated 2014-03-04 20:45:03 +0200

adding an email account only has the option auth method (e.g encrypted pw) for smtp, imap always uses plain text auth.

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by VDVsx
close date 2015-03-03 14:38:17.222541

Comments

1

We don't support anything else at the moment, this is not a bug, please change this to a feature request specifying the options you would like to see.

VDVsx ( 2014-03-03 10:51:01 +0200 )edit

Correction we do support oauth2 as well for IMAP4 login, and CRAM-MD5 is coming.

VDVsx ( 2014-03-03 10:54:26 +0200 )edit

thanks for feedback, changed it, but nevertheless I think it's an usability bug.
It's confusing to see the method at the end, but not in the IMAP section.
It isn't that obvious if the selection is for smtp or smtp+imap

kelvan ( 2014-03-04 20:47:30 +0200 )edit

CRAM-MD5 login on IMAP4 is still not supported (1.1.0.39) and the manual change of account settings described in (1) seems not to be working anymore.

Would CRAM-MD5 login on IMAP4 will be included sooner or later ?

(1) https://together.jolla.com/question/4336/email-cannot-log-in-to-macos-imap-server/

drno ( 2014-10-26 14:33:37 +0200 )edit

Yes, at some point.

VDVsx ( 2014-10-28 09:04:26 +0200 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2015-03-03 14:37:56 +0200

VDVsx gravatar image

Fixed in 1.1.2 / Yliaavanlampi, now the auths are selected according to the advertised capabilities, from more secure to less secure, supported auths are:

XOAUTH2 for google accounts

CRAM-MD5, PLAIN, LOGIN for general IMAP/SMTP accounts.

edit flag offensive delete publish link more

Comments

wait, do you mean that until now all IMAP connections sent the password in clear text?

I checked my mail over some unencripted holtel wifi networks while travelling knowing that the IMAP servers I used all provided strong authentication (IMAP SSL).

https://wiki.gandi.net/en/mail/standard-settings?s[]=imap#popimap_account

Did my IMAP passwords travel in clear text then? I'm sure the port configured in Mail was 993, the one of IMAP SSL.

Now I have the phone at Optima for warranty repair, so I can't double check (but I did a full /home/nemo backup, if you tell me where I can look)

Thank you

c.la ( 2015-03-03 17:19:03 +0200 )edit

@c.la - No, passwords are not sent before SSL connection are established, no AUTH is not even support for IMAP accounts, both PLAIN and LOGIN use weak encryption but we never allow them over unencrypted connection, same for 99.9% of the servers out there.

VDVsx ( 2015-03-04 08:26:53 +0200 )edit

@VDVsx thank you for your reply. I still don't get how you can block the transmission of PLAIN (if I remember it's equivalent to not encrypted) authentication over an unencrypted channel, because after all even 3G connection is unencrypted, not just an open wifi network.

Thank you

c.la ( 2015-03-04 15:13:44 +0200 )edit

Like I said above authentication does not process until a SSL/TLS socket is open between server and device, if you want more details check the IMAP RFCs on that, and as I said when available we use even stronger methods like app token or MD5, but most servers don't support those.

VDVsx ( 2015-03-04 15:31:12 +0200 )edit

good, thank you for the explanation

c.la ( 2015-03-04 16:32:20 +0200 )edit

Question tools

Follow
4 followers

Stats

Asked: 2014-02-28 12:56:09 +0200

Seen: 308 times

Last updated: Mar 03 '15