Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS for mail watches #138

Open
GoogleCodeExporter opened this issue Aug 19, 2015 · 4 comments
Open

TLS for mail watches #138

GoogleCodeExporter opened this issue Aug 19, 2015 · 4 comments
Labels
auto-migrated Priority-Medium Security Type-Enhancement WatchType-Mail

Comments

@GoogleCodeExporter
Copy link 

It is unclear whether the email watch supports connecting via TLS. This is
very frustrating, especially for mail servers which still allow plain-text
connections. I want to be certain my credentials will not be sent in the
clear. There should be an explicit option, like "Require TLS".  This way if
a server doesn't advertise STARTTLS or the negotiation fails, it will give
an error.

Original issue reported on code.google.com by [email protected] on 18 Apr 2008 at 7:28
@GoogleCodeExporter
Copy link
Author 

I would have set this to an "enhancement" instead of a "defect," however this 
Google
issue tracker wouldn't let me.  Needless to say, I'm not a fan!

Original comment by [email protected] on 18 Apr 2008 at 7:30

@GoogleCodeExporter
Copy link
Author 

Hi, I'm a bit unfamiliar with TLS (or any encrytion, for that matter) so I'll 
leave
this enhancement for others to "Accept" (if you want to provide a patch though, 
you
are welcome to do so). I'll just clarify some things:
- you are aware that there is an option for using SSL?
- does this apply to all of mail watches (POP3, IMAP, gmail)?
- this is about having a checkbox "Use TLS" below the "Use SSL" checkbox, right?

P.s.: Google's issue tracker system does not allow non-admins to change the 
tags of a
bug report, so everything is filed as a "Defect" initally by default. Not a big 
deal
if you have a compulsive bug triager such as me ;) I much prefer this bug 
tracker to
sourceforge (or even launchpad, though it got better lately). It's cleaner, 
faster
and more flexible. I'm a huge fan. My 2 cents :)

Original comment by [email protected] on 18 Apr 2008 at 4:29

  • Changed title: TLS for mail watches
  • Added labels: Security, Type-Enhancement, WatchType-Mail
  • Removed labels: Type-Defect

@GoogleCodeExporter
Copy link
Author 

Well I believe SSL is deprecated and should not be used, other than to access 
old,
poorly-configured mail servers.  TLS is transparent encryption (on port 143 for
IMAP), activated using the STARTTLS command.  gmail already requires it, I 
believe,
so it must already be using it.  It should be added for IMAP though (and 
possibly
POP--I don't use it myself).  TLS should always be used automatically if the 
IMAP
server advertises the STARTTLS capability.  The option I am proposing is 
"Require
TLS" so that the connection will not even proceed without STARTTLS, disabling
plaintext logins.  Hopefully this is clear.

I took a quick look at the source, and it appears watch_mail_imap.py uses 
imaplib,
which does not support TLS by default.  tlslite [http://trevp.net/tlslite/]
supposedly integrates with imaplib, though I have not used it.  I don't know if 
you
want to add an additional dependency to specto, and I notice tlslite is not even
packaged for Ubuntu.  I suppose this is a bit more complicated than I initially
envisaged. :)

Original comment by [email protected] on 18 Apr 2008 at 5:32

@GoogleCodeExporter
Copy link
Author

Original comment by [email protected] on 3 Oct 2009 at 3:02

  • Changed state: Accepted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Security Type-Enhancement WatchType-Mail
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter