Security: Imbox (and other libs) do not validate certificates

[dmth]

The colleagues from Abusehelper realised some flaws concerning their SSL implementation: https://github.com/abusesa/abusehelper/blob/master/docs/SECURITY-2016-01.md

@bernhard-herzog reviewed some parts of IntelMQ.

The library "imbox", which is used by the Mail-Collectors, does not validate the certificate of the IMAP Server. It is not possible to force the library to do so.

We also checked:

• requests: The library does behave well on Ubuntu 14.04
• sleekxmpp: It is possible to tell sleekxmpp to uses a certificate store, currently this is not done

To discuss:

• Remove the dependency of Imbox and do "IMAP by hand" or persuade Imbox maintainer to add the option to configure SSL.
• Initiate XMPPClient correctly with a CertificateStore
• Create an IntelMQ-Wide usable configuration-variable for a CertificateStore.

[dmth]

Opened an Issue at IMBOX: https://github.com/martinrusev/imbox/issues/68

[sebix]

Also also would like to see this fixed upstream. Creating our own library is much more work than patching the existing code. Thanks for bringing this upstream.

[dmth]

We created a PR for this issue in IMBOX. This one was merged upstream. A new imbox release should fix the issues with imbox.

sleekxmpp is still unresolved

[dmth]

There is a new Imbox-Relase: https://pypi.python.org/pypi/imbox/0.8.5