[Bug 151246] New: KMAIL silently reverts to plaintext communication if starttls fails

[Michael Schaefer]

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
         
http://bugs.kde.org/show_bug.cgi?id=151246         
           Summary: KMAIL silently reverts to plaintext communication if
                    starttls fails
           Product: kmail
           Version: 1.9.7
          Platform: Debian testing
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
        AssignedTo: kdepim-bugs kde org
        ReportedBy: kdebug spamblock netzgehirn de


Version:           1.9.7 (using KDE KDE 3.5.7)
Installed from:    Debian testing/unstable Packages
OS:                Linux

If a KMAIL IMAP account (and propably also POP) is configured to use TLS encryption and the
STARTTLS command fails, KMAIL goes on communicating via the unencrypted channel, possibly
leaking password information.

If a account is configured to use TLS and TLS fails or is suddenly unavailable this should
terminate the connection and result in an error, otherwise a man-in-the-middle attacker could
obtain the account credentials by setting up a fake service in which the STARTTLS command fails.

Example communication recording:

* OK somehost IMAP4 server ready
2 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS ANNOTATEMORE
2 OK Completed
3 STARTTLS
3 NO Error initializing TLS
4 LOGIN "user" "password"
4 OK User logged in
5 NAMESPACE
[....]