[PLUG] thunderbird sending plaintext passwords when talking to dovecot

[Galen Seitz]

I'm seeing a problem where thunderbird sends passwords in the clear
while talking to a dovecot imap server.  Thunderbird is configured to
use imap without SSL, TLS, or secure authentication.  This was done
intentionally just as a test.  Dovecot is configured to disallow
plaintext authentication.  I was expecting thunderbird to not even
attempt to login, but it does anyway.  Is this normal?


Dovecot sends the following in response to thunderbird's capability
request.

  * CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN LISTEXT LIST-SUBSCRIBED NAMESPACE STARTTLS LOGINDISABLED\r\n

Since it says LOGINDISABLED, I expected thunderbird to just give up, but
instead it prompts for a password anyway.  After entering a password and
hitting return, I see the username and password in the clear on the
wire.

  2 login "user" "notapassword"\r\n

Thunderbird then pops up an alert message from dovecot.

  * BAD [ALERT] Plaintext authentication is disabled, but your client sent password in plaintext anyway.If anyone was listening, the password was exposed.\r\n


Dovecot is dovecot-0.99.11-4.EL4 running on Centos 4.3.
Thunderbird is thunderbird-1.0.8-1.1.fc4 running on Fedora 4.

My goal is to use imap when connecting via localhost and imaps for
everything else.  I suppose I can block imap using iptables or possibly
tcpwrappers, but I didn't think that would be necessary.


galen