Open karolyi opened 8 months ago
What's wrong with PLAIN combined with an encrypted connection? CRAM-MD5 shouldn't be used unencrypted too.
Currently Gitea uses Login()
(https://github.com/emersion/go-imap/blob/999137ed5d403eb3efbf83dcd1246b40b0fdccfa/client/cmd_noauth.go#L87). It may be possible to support Authenticate()
(https://github.com/emersion/go-imap/blob/999137ed5d403eb3efbf83dcd1246b40b0fdccfa/client/cmd_noauth.go#L87) too, but the helper library https://github.com/emersion/go-sasl doesn't support much more. CRAN-MD5 was blocked: https://github.com/emersion/go-sasl/pull/15
Hey,
what's wrong is called MitM, a.k.a. man-in-the-middle attack. We are living in a period where adversaries increasingly have the ability to execute such an attack. One example is the recent MitM on the jabber.ru server.
SCRAM-*-PLUS would be the ideal (and most modern) authentication method because the -PLUS variants support channel binding, unfortunately not much support for it out there, server-wise either.
CRAM-MD5 would be an acceptable minimum security for me.
If your adversaries can do MitM attacks on TLS encrypted connections you may have bigger problems than the email login. 😅 I think such a feature must be provided upstream not by Gitea itself.
You are not wrong.
Although, I can't enforce a hashed authentication now on clients I serve with IMAP, because gitea doesn't support it and can't login.
Hence my feature request.
Feature Description
Hey,
right now, the incoming emails are checked by logging in with IMAP an PLAIN authentication.
I want to turn the PLAIN method off in my imap server, so at least a CRAM-MD5 auth support would be nice, even if it's already obsolete. Most clients still use it.
Screenshots
No response