Open soywod opened 4 months ago
Testing ...
$ openssl s_client -crlf -connect imap.163.com:993
* OK IMAP4 ready
a login test@163.com abcdef
a NO LOGIN Login error or password error
$ nc -C imap.163.com 143
* OK IMAP4 ready
a login test@163.com abcdef
a NO LOGIN Login error or password error
It sounds a bit like "server reporting unencrypted login", but it doesn't seem to be the case as we get the same error with and w/o encryption.
Do we need valid credentials to reproduce the Unsafe Login. Please contact kefu@188.com for help
message?
Do we need valid credentials to reproduce the
Unsafe Login. Please contact ***@***.*** for help
message?
I would say yes, because the error comes straight after selecting a mailbox (which requires auth).
I asked the person who report the bug to create a fake account for us. I will also use it for testing email-lib.
I asked the person who report the bug to create a fake account for us. I will also use it for testing email-lib.
I got testing credentials, where can I safely share them with you?
Can you write me a PM on Matrix? :-)
Which action needs to be done for this issue? Contacting the mail provider? From my side I can add a config option to exchange ids after authentication.
This is a vendor issue since they are implementing the standard wrong, so yes, contact them.
Grr... sorry. I still have "Recheck 188.com" on my TODO list but so little time... Were you able to reproduce it with the credentials you got to clearly see it's the missing ID provoking the error?
I think there is not a good way to mitigate this unfortunately...
If you add an option to send ID, you have to maintain the option. But: How do you know when to activate it? Only for 188.com? Seems weird to give them free advertisement for bad behavior... Always sending ID just to mitigate this is not great either :-/ Fingers crossed they will fix it.
Were you able to reproduce it with the credentials you got to clearly see it's the missing ID provoking the error?
No, I can do it tomorrow morning.
How do you know when to activate it?
I thought to have a config entry that triggers the ids exchange after client creation (sth generic, not related to 163). Users should enable the option manually. This could be documented, in a dedicated 163 section. A bit like the Gmail section and App password.
I confirm the defect:
$ openssl s_client -crlf -connect imap.163.com:993
* OK IMAP4 ready
A1 LOGIN pimalaya@163.com *****
A1 OK LOGIN completed
A2 SELECT INBOX
A2 NO SELECT Unsafe Login. Please contact kefu@188.com for help
It's even worse, 163 imposes you to send non-empty ID
(no matter the content, I tried with different values):
A3 ID ()
* ID ("name" "Coremail Imap" "vendor" "Mailtech" "TransID" "IcalGAAAAAuSxWbphHkA")
A3 OK ID completed
A4 SELECT INBOX
A4 NO SELECT Unsafe Login. Please contact kefu@188.com for help
A5 ID ("dumb" "id")
* ID ("name" "Coremail Imap" "vendor" "Mailtech" "TransID" "IcalGAAAAAuSxWbphHkA")
A5 OK ID completed
A6 SELECT INBOX
* 2 EXISTS
* 2 RECENT
* OK [UIDVALIDITY 1] UIDs valid
* FLAGS (\Answered \Seen \Deleted \Draft \Flagged)
* OK [PERMANENTFLAGS (\Answered \Seen \Deleted \Draft \Flagged)] Limited
A6 OK [READ-WRITE] SELECT completed
As stated in RFC2871:
Servers MUST NOT deny access to or refuse service for a client based on information from the ID command
I will contact them and let you know.
https://todo.sr.ht/~soywod/pimalaya/201