TLS for mail watches

[GoogleCodeExporter]

It is unclear whether the email watch supports connecting via TLS. This is
very frustrating, especially for mail servers which still allow plain-text
connections. I want to be certain my credentials will not be sent in the
clear. There should be an explicit option, like "Require TLS".  This way if
a server doesn't advertise STARTTLS or the negotiation fails, it will give
an error.

Original issue reported on code.google.com by hac...@gmail.com on 18 Apr 2008 at 7:28

[GoogleCodeExporter]

I would have set this to an "enhancement" instead of a "defect," however this 
Google
issue tracker wouldn't let me.  Needless to say, I'm not a fan!

Original comment by hac...@gmail.com on 18 Apr 2008 at 7:30

[GoogleCodeExporter]

Hi, I'm a bit unfamiliar with TLS (or any encrytion, for that matter) so I'll 
leave
this enhancement for others to "Accept" (if you want to provide a patch though, 
you
are welcome to do so). I'll just clarify some things:
- you are aware that there is an option for using SSL?
- does this apply to all of mail watches (POP3, IMAP, gmail)?
- this is about having a checkbox "Use TLS" below the "Use SSL" checkbox, right?

P.s.: Google's issue tracker system does not allow non-admins to change the 
tags of a
bug report, so everything is filed as a "Defect" initally by default. Not a big 
deal
if you have a compulsive bug triager such as me ;) I much prefer this bug 
tracker to
sourceforge (or even launchpad, though it got better lately). It's cleaner, 
faster
and more flexible. I'm a huge fan. My 2 cents :)

Original comment by nekoh...@gmail.com on 18 Apr 2008 at 4:29

• Changed title: TLS for mail watches
• Added labels: Security, Type-Enhancement, WatchType-Mail
• Removed labels: Type-Defect

[GoogleCodeExporter]

Well I believe SSL is deprecated and should not be used, other than to access 
old,
poorly-configured mail servers.  TLS is transparent encryption (on port 143 for
IMAP), activated using the STARTTLS command.  gmail already requires it, I 
believe,
so it must already be using it.  It should be added for IMAP though (and 
possibly
POP--I don't use it myself).  TLS should always be used automatically if the 
IMAP
server advertises the STARTTLS capability.  The option I am proposing is 
"Require
TLS" so that the connection will not even proceed without STARTTLS, disabling
plaintext logins.  Hopefully this is clear.

I took a quick look at the source, and it appears watch_mail_imap.py uses 
imaplib,
which does not support TLS by default.  tlslite [http://trevp.net/tlslite/]
supposedly integrates with imaplib, though I have not used it.  I don't know if 
you
want to add an additional dependency to specto, and I notice tlslite is not even
packaged for Ubuntu.  I suppose this is a bit more complicated than I initially
envisaged. :)

Original comment by hac...@gmail.com on 18 Apr 2008 at 5:32

[GoogleCodeExporter]

Original comment by nekoh...@gmail.com on 3 Oct 2009 at 3:02

• Changed state: Accepted