E-mail: SMTP sending out password in certain circumstances

Question

8

E-mail: SMTP sending out password in certain circumstances

asked 2014-05-03 14:04:46 +0300

Swl

1670 ●16 ●22 ●28

http://www.socialninja.se...

updated 2014-08-04 17:19:10 +0300

jiit

2678 ●32 ●58 ●59

admin

This issue is that the smtp client seems to just throw the password in plaintext out in a SEND call under certain circumstances. my real password has been replaced by mypassword here:

I have not been able to trigger this bug again, will look for it. However, the setup was, one gmail account and two imap accounts. Removed gmail and one imap account and tried to send an email with the remaining imap/smtp account. This is what happened:

[7071] maj 03 12:31:46 [Debug] SMTP : newConnection

[7071] maj 03 12:31:46 [Debug] SMTP : Open SMTP connection

[7071] maj 03 12:31:46 [Debug] Messaging : QMailTransport::Socket::Socket SET PROXY host= "" port= 0

[7071] maj 03 12:31:46 [Debug] Messaging : Opening connection - "submit.notes.lotuslive.com" : 465 SSL

[7071] maj 03 12:31:47 [Debug] Messaging : SMTP : connection established

[7071] maj 03 12:31:47 [Debug] Messaging : SMTP : Secure connection established

[7071] maj 03 12:31:47 [Debug] SMTP : Connected

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "220 usdl3-ln00-ws03.ben.dc5.lotusliveops.com ESMTP Service (Lotus Domino Build V851SAAS_M11_04172014_FP1) ready at Sat, 3 May 2014 10:31:57 +0000"

[7071] maj 03 12:31:47 [Debug] SMTP : SEND: EHLO [127.0.0.1]

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "250-usdl3-ln00-ws03.ben.dc5.lotusliveops.com Hello [127.0.0.1] ([10.13.34.1]), pleased to meet you"

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "250-HELP"

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "250-AUTH LOGIN"

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "250-DSN"

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "250-SIZE 102400000"

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "250 PIPELINING"

[7071] maj 03 12:31:47 [Debug] SMTP : SEND: mypassword

[7071] maj 03 12:31:47 [Debug] SMTP : RECV: "500 Syntax error, command "mypassword" unrecognized"

[7071] maj 03 12:31:47 [Debug] Messaging : void SSOSessionManager::recreateSsoIdentity() Recreating SSO identity using auth method "password"

[7071] maj 03 12:31:47 [Debug] authsessionimpl.cpp 174 initInterface

[7071] maj 03 12:31:47 [Debug] authsessionimpl.cpp 270 process sending to queue

[7071] maj 03 12:31:47 [Debug] dbusoperationqueuehandler.cpp 135 execQueuedOperations Executing cached oparation: SIGNATURE: "process(SessionData,QString)"

[7071] maj 03 12:31:47 [Debug] dbusoperationqueuehandler.cpp 147 execQueuedOperations

[7071] maj 03 12:31:47 [Debug] authsessionimpl.cpp 265 process sending to daemon

[7071] maj 03 12:31:48 [Debug] SMTP : Got SSO response

[7071] maj 03 12:31:48 [Debug] SMTP : SEND: <mypassword></mypassword>

[7071] maj 03 12:31:48 [Debug] SMTP : RECV: "500 Syntax error, command "mypassword" unrecognized"

[7071] maj 03 12:31:48 [Debug] Messaging : void SSOSessionManager::credentialsNeedUpdate() Setting credentials need update for the service "smtp" from account 15 using authentication method "password"

[7071] maj 03 12:31:48 [Debug] SMTP : Closed connection: "500 Syntax error, command "mypassword" unrecognized

"

edit retag flag offensive close delete

Comments

I would say this is serious!

ortylp ( 2014-09-08 21:36:05 +0300 )edit

I would say this is serious!
ortylp ( 2014-09-08 21:36:05 +0300 )edit

Answer 1

1

answered 2014-05-05 09:35:24 +0300

VDVsx

3840 ●25 ●84 ●62

https://twitter.com/VDVsx

Looking at the code this can happen only if you modify the accounts via command line and select a invalid authentication method: https://github.com/nemomobile-packages/messagingframework/blob/master/qmf/src/plugins/messageservices/smtp/smtpauthenticator.cpp#L56

The line containing your password didn't had any "AUTH xxx" before the password ?

edit flag offensive delete publish link

Comments

No, that was the weird part. It looks exactly like that apart from the fact that i replaced the password string. And that was the thing worrying me, because i'm looking back through my .sh_history and my .bash_history as i write this. And there are no modifications through command line. The only thing done was ag-tool list-settings on one of the old accounts. The only thing i did before this issue appearing was change logging in /home/nemo/.config/QtProject/Messageserver.conf then i removed the gmail account and one of the imap accounts, and this happened. But like i said from the beginning, i have not been able to retrigger this bug again.

Swl ( 2014-05-05 11:04:04 +0300 )edit

Ok, about security of the password, it sent over a encrypted socket(SSL/TLS) and for email(IMAP/POP/SMTP) as of today password security is very weak unless CRAM-MD5 is used, for most case is either plain or base64 encoded, unfortunately nothing can be done here.

VDVsx ( 2014-05-05 11:22:37 +0300 )edit

Okay. Just wanted to highlight it because it really didn't look like it should. But since bug cannot be reproduced at this time i think we can close this down for now.

Swl ( 2014-05-05 12:28:35 +0300 )edit

Answer 2

0

answered 2014-09-08 17:46:05 +0300

aeneby
61 ●3 ●3 ●6

I'm also getting this behaviour. I haven't modified anything from the command line, only changed the email account server settings back and forth via the GUI. I only have one email account configured, with the outgoing mail server specified as STARTTLS with normal (non-encrypted) password auth. Here's a paraphrased transcript of the client<->server conversation from the server logs (exim4 on Debian):

  SMTP<< EHLO
  SMTP>> 250-server.example.com Hello client.example.com
  >> 250-SIZE 52428800
  >> 250-8BITMIME
  >> 250-PIPELINING
  >> 250-STARTTLS
  >> 250 HELP 
 SMTP<< STARTTLS 
 SMTP>> 220 TLS go ahead

(TLS handshake etc...)

SMTP<< EHLO
SMTP>> 250-server.example.com Hello client.example.com
>> 250-SIZE 52428800
>> 250-8BITMIME
>> 250-PIPELINING
>> 250-AUTH PLAIN LOGIN
>> 250 HELP
SMTP<< MY_PASSWORD
SMTP>> 500 unrecognized command

I've replaced my password by "MY_PASSWORD" - note the missing AUTH LOGIN as one would expect.

I can reproduce this every time with the current configuration, so let me know if you need any extra info. Otherwise I will remove and re-create the account to see if it fixes things.

PS: Wouldn't it be great if we had an actual bug-tracker for these kinds of things? ;)

edit flag offensive delete publish link

Comments

@aeneby - Can you also collect qmf logs:

/home/nemo/.config/QtProject/Messageserver.conf

enable file log and add a path for the log, like for example:

[FileLog]
Enabled=1
Path=/home/nemo/Documents/messageserver.log

Reboot the device and reproduce the problem, send me the log file to mail-logs at jolla dot com. After that turn file log off again by setting "enabled" to 0.

And the accounts setting:

ag-tool list-accounts

Locate your account id from the list and then send me also the output of:

ag-tool list-settings YOUR_ACCT_ID

Thanks!

VDVsx ( 2014-09-09 09:35:32 +0300 )edit

It's one of "those" bugs I guess - after a reboot, everything seems to work properly again. I ran an "ag-tool list-settings ACCT_ID" both before and after the reboot, but they're identical except for the lastSynchronized field. So I'm not sure any of the logs will be helpful at this point.

There's a bug here somewhere though; I'll leave the FileLog enabled for a while in case it happens again.

aeneby ( 2014-09-09 13:20:37 +0300 )edit

E-mail: SMTP sending out password in certain circumstances

Comments

2 Answers

Comments

Comments

Question tools

Stats

Related questions

E-mail: SMTP sending out password in certain circumstances

Comments

2 Answers

Comments

Comments

Question tools

Public thread

Stats

Related questions