search

modern-email / defects

Collection of real-world email defects
MIT License
7 stars 1 forks source link

Enforcement of `ID` before `SELECT` #25

Open soywod opened 4 months ago

soywod commented 4 months ago

https://todo.sr.ht/~soywod/pimalaya/201

duesee commented 4 months ago

Testing ...

$ openssl s_client -crlf -connect imap.163.com:993
* OK IMAP4 ready
a login test@163.com abcdef
a NO LOGIN Login error or password error
$ nc -C imap.163.com 143
* OK IMAP4 ready
a login test@163.com abcdef
a NO LOGIN Login error or password error

It sounds a bit like "server reporting unencrypted login", but it doesn't seem to be the case as we get the same error with and w/o encryption.

Do we need valid credentials to reproduce the Unsafe Login. Please contact kefu@188.com for help message?

soywod commented 4 months ago

Do we need valid credentials to reproduce the Unsafe Login. Please contact ***@***.*** for help message?

I would say yes, because the error comes straight after selecting a mailbox (which requires auth).

I asked the person who report the bug to create a fake account for us. I will also use it for testing email-lib.

soywod commented 4 months ago

I asked the person who report the bug to create a fake account for us. I will also use it for testing email-lib.

I got testing credentials, where can I safely share them with you?

duesee commented 4 months ago

Can you write me a PM on Matrix? :-)

soywod commented 1 month ago

Which action needs to be done for this issue? Contacting the mail provider? From my side I can add a config option to exchange ids after authentication.

epilys commented 1 month ago

This is a vendor issue since they are implementing the standard wrong, so yes, contact them.

duesee commented 1 month ago

Grr... sorry. I still have "Recheck 188.com" on my TODO list but so little time... Were you able to reproduce it with the credentials you got to clearly see it's the missing ID provoking the error?

I think there is not a good way to mitigate this unfortunately...

If you add an option to send ID, you have to maintain the option. But: How do you know when to activate it? Only for 188.com? Seems weird to give them free advertisement for bad behavior... Always sending ID just to mitigate this is not great either :-/ Fingers crossed they will fix it.

soywod commented 1 month ago

Were you able to reproduce it with the credentials you got to clearly see it's the missing ID provoking the error?

No, I can do it tomorrow morning.

How do you know when to activate it?

I thought to have a config entry that triggers the ids exchange after client creation (sth generic, not related to 163). Users should enable the option manually. This could be documented, in a dedicated 163 section. A bit like the Gmail section and App password.

soywod commented 1 month ago

I confirm the defect:

$ openssl s_client -crlf -connect imap.163.com:993
* OK IMAP4 ready

A1 LOGIN pimalaya@163.com *****
A1 OK LOGIN completed

A2 SELECT INBOX
A2 NO SELECT Unsafe Login. Please contact kefu@188.com for help

It's even worse, 163 imposes you to send non-empty ID (no matter the content, I tried with different values):

A3 ID ()
* ID ("name" "Coremail Imap" "vendor" "Mailtech" "TransID" "IcalGAAAAAuSxWbphHkA")
A3 OK ID completed

A4 SELECT INBOX
A4 NO SELECT Unsafe Login. Please contact kefu@188.com for help

A5 ID ("dumb" "id")
* ID ("name" "Coremail Imap" "vendor" "Mailtech" "TransID" "IcalGAAAAAuSxWbphHkA")
A5 OK ID completed

A6 SELECT INBOX
* 2 EXISTS
* 2 RECENT
* OK [UIDVALIDITY 1] UIDs valid
* FLAGS (\Answered \Seen \Deleted \Draft \Flagged)
* OK [PERMANENTFLAGS (\Answered \Seen \Deleted \Draft \Flagged)] Limited
A6 OK [READ-WRITE] SELECT completed

As stated in RFC2871:

Servers MUST NOT deny access to or refuse service for a client based on information from the ID command

I will contact them and let you know.