chris001
commented
4 years ago Absolutely agree. Email security is paramount importance! This old way of doing security (silent downgrade to cleartext zero encryption, just to accomplish the goal of running the completing the task) MUST be fixed to enforce encryption and fail with informative message when unable to.
Offlineimap does not enforce the use of STARTTLS when the server does not advertise the STARTTLS capability. Instead, it will provide the credentials in plaintext.
I wanted to raise the question if this is supposed to stay like this or could possibly be changed such that when STARTTLS is configured it is enforced. In the case the server does not advertise STARTTLS, the correct behaviour should be to provide a hint to use implicit TLS instead (preferred) or to require from the user to explicitly enable this behaviour (with a warning.)
I evaluated that behaviour in a ton of email clients and offlineimap is really one of the very few clients still behaving that way. This should really be changed. See also https://tools.ietf.org/html/rfc8314
Edit: in case STARTTLS will be enforced in the future, the certificate must obviously also be checked. Otherwise this doesn't help a lot :-)
Edit 2: I made the suggestion clearer.