[PLUG] thunderbird sending plaintext passwords when talking to dovecot
Galen Seitz
galens at seitzassoc.com
Sat Oct 21 03:36:19 UTC 2006
I'm seeing a problem where thunderbird sends passwords in the clear
while talking to a dovecot imap server. Thunderbird is configured to
use imap without SSL, TLS, or secure authentication. This was done
intentionally just as a test. Dovecot is configured to disallow
plaintext authentication. I was expecting thunderbird to not even
attempt to login, but it does anyway. Is this normal?
Dovecot sends the following in response to thunderbird's capability
request.
* CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN LISTEXT LIST-SUBSCRIBED NAMESPACE STARTTLS LOGINDISABLED\r\n
Since it says LOGINDISABLED, I expected thunderbird to just give up, but
instead it prompts for a password anyway. After entering a password and
hitting return, I see the username and password in the clear on the
wire.
2 login "user" "notapassword"\r\n
Thunderbird then pops up an alert message from dovecot.
* BAD [ALERT] Plaintext authentication is disabled, but your client sent password in plaintext anyway.If anyone was listening, the password was exposed.\r\n
Dovecot is dovecot-0.99.11-4.EL4 running on Centos 4.3.
Thunderbird is thunderbird-1.0.8-1.1.fc4 running on Fedora 4.
My goal is to use imap when connecting via localhost and imaps for
everything else. I suppose I can block imap using iptables or possibly
tcpwrappers, but I didn't think that would be necessary.
galen
More information about the PLUG
mailing list