Non-PLAIN authentication for [email.incoming]

[karolyi]

Feature Description

Hey,

right now, the incoming emails are checked by logging in with IMAP an PLAIN authentication.

I want to turn the PLAIN method off in my imap server, so at least a CRAM-MD5 auth support would be nice, even if it's already obsolete. Most clients still use it.

Screenshots

No response

[KN4CK3R]

What's wrong with PLAIN combined with an encrypted connection? CRAM-MD5 shouldn't be used unencrypted too.

Currently Gitea uses Login() (https://github.com/emersion/go-imap/blob/999137ed5d403eb3efbf83dcd1246b40b0fdccfa/client/cmd_noauth.go#L87). It may be possible to support Authenticate() (https://github.com/emersion/go-imap/blob/999137ed5d403eb3efbf83dcd1246b40b0fdccfa/client/cmd_noauth.go#L87) too, but the helper library https://github.com/emersion/go-sasl doesn't support much more. CRAN-MD5 was blocked: https://github.com/emersion/go-sasl/pull/15

[karolyi]

Hey,

what's wrong is called MitM, a.k.a. man-in-the-middle attack. We are living in a period where adversaries increasingly have the ability to execute such an attack. One example is the recent MitM on the jabber.ru server.

SCRAM-*-PLUS would be the ideal (and most modern) authentication method because the -PLUS variants support channel binding, unfortunately not much support for it out there, server-wise either.

CRAM-MD5 would be an acceptable minimum security for me.

[KN4CK3R]

If your adversaries can do MitM attacks on TLS encrypted connections you may have bigger problems than the email login. 😅 I think such a feature must be provided upstream not by Gitea itself.

[karolyi]

You are not wrong.

Although, I can't enforce a hashed authentication now on clients I serve with IMAP, because gitea doesn't support it and can't login.

Hence my feature request.