search

domainaware / parsedmarc

A Python package and CLI for parsing aggregate and forensic DMARC reports
https://domainaware.github.io/parsedmarc/
Apache License 2.0
995 stars 213 forks source link

IMAP: Support STARTTLS #205

Open MarcelWaldvogel opened 3 years ago

MarcelWaldvogel commented 3 years ago

The IMAP client currently only supports TLS over the legacy SSL protocol (direct handshake to port 993). However, there are mail servers out there which do not support that (anymore), they insist on STARTTLS to port 143.

The code change is easy (add a starttls flag; if this is set, the default port is 143 and call starttls() after connecting).

However, I would like to discuss the transition semantics here. Right now, IMAPS is the default, due to default ssl = True.

There are several options, e.g.:

  1. Make ssl = False imply starttls = True (there should be no plaintext passwords out there anyway); however, this might break some installations.
  2. Make starttls = True override ssl = True and port = 993 defaults; then the default would be more complicated (requires handling that in a few places, probably and might cause user confusion)
  3. Make starttls = True and port = 143 the new default.

I would prefer 3, as this should be the standard today; however, using 2 would break fewer things, even though the code might be more complex. Opinions?

(Maybe has some interaction with #189)

Carbenium commented 3 years ago

To add my 2 cents: Since the publication of RFC8314 in Jan. 2018 the usage of STARTTLS for IMAP, POP3 and message submission is discouraged. "Implicit TLS" (as the standards calls it) should be used for these services.

So changing the default to STARTTLS would be a step backwards.

MarcelWaldvogel commented 3 years ago

I was not aware of RFC8314. So feel free to give this issue low priority or close with WONTFIX.

supaeasy commented 3 years ago

It works fine with STARTTLS. But over Port 993. At least my Hoster tells me they are only offering STARTTLS. Port 143 as suggested by them gives an Error

MarcelWaldvogel commented 3 years ago

993 should not support STARTTLS. Instead, it is "Implicit TLS". Implicit TLS is what HTTPS does: Directly start the TLS handshake, and only after this is successful, send any date to the application-layer protocol.

STARTTLS instead starts with the application-layer protocol (in this case, IMAP), so some handshaking/feature detection can be done there. If the client would like to switch to TLS, it issues the STARTTLS command. Otherwise, they continue talking plaintext.