Considering that in this case the credentials are sent in plain text, it might be better to change the default behavior to fail. The user could opt-in via a configuration option (e.g. allow_insecure_imap).
In the same function, the verification of server certificates is disabled if Mozilla::CA is not available. This largely defeats the purpose of using TLS, making it succeptible to MITM attacks. Please consider using the defaults provided by IO::Socket::SSL, as recommended here: https://metacpan.org/pod/IO::Socket::SSL#Common-Usage-Errors
In function
get_imap_port()
, ifIO::Socket::SSL
is not available TLS will be disabled with only a warning: https://github.com/msimerson/mail-dmarc/blob/ac6d3ad2e50c79a409c0fc642ffc2816c2018827/lib/Mail/DMARC/Report/Receive.pm#L191Considering that in this case the credentials are sent in plain text, it might be better to change the default behavior to fail. The user could opt-in via a configuration option (e.g.
allow_insecure_imap
).In the same function, the verification of server certificates is disabled if
Mozilla::CA
is not available. This largely defeats the purpose of using TLS, making it succeptible to MITM attacks. Please consider using the defaults provided by IO::Socket::SSL, as recommended here: https://metacpan.org/pod/IO::Socket::SSL#Common-Usage-Errors