[Bug 268048] New: All identities try to send via default SMTP server; credentials disclosure!!!

[Szczepan Hołyszewski]

https://bugs.kde.org/show_bug.cgi?id=268048

           Summary: All identities try to send via default SMTP server;
                    credentials disclosure!!!
           Product: kmail
           Version: 1.13.6
          Platform: Archlinux Packages
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: NOR
         Component: sending
        AssignedTo: kdepim-bugs at kde.org
        ReportedBy: rulatir at wp.pl


Version:           1.13.6 (using KDE 4.6.0) 
OS:                Linux

(Reason for major severity: security hole, credentials disclosed to wrong
party)

When sending a message using an identity that uses a SMTP account other than
the default, kmail connects to the default SMTP server instead, but tries to
authenticate with username and password defined in the non-default SMTP account
selected for the identity. This has two effects:

- email is not sent because SMTP authentication fails
- identity's SMTP account credentials are disclosed to the default SMTP server



Reproducible: Always

Steps to Reproduce:
1. Set up two SMTP accounts on different servers, let's call them a and b.
2. Set a as the default SMTP account.
3. Set up two identities, let's call them A and B.
4. Assign account a as sending account for identity A; assign account b as
sending account for identity B.
5. Try sending mail using identity B.

Actual Results:  
Authentication failure and password disclosure because KMail uses credentials
from account b but sends them to account a's SMTP server.

Expected Results:  
Account b's server should be used.

OS: Linux (i686) release 2.6.37-ARCH
Compiler: gcc

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.