Closed fastlorenzo closed 1 year ago
nextgens
commented
1 year ago I'd suggest going even further and auto-detecting it. If the socket connects and no banner is received within a specific timeout, start the TLS negotiation (or close() and reconnect using implicit TLS if that makes the code easier).
With Sieve the server sends a banner first... in implicit TLS it's the client who speaks first, that makes a behavior that can be discriminated against/auto-detected.
thsmi
commented
1 year ago Well, for sieve there are no real world scenarios where implicit TLS would be more secure than explicit TLS. Vice versa implicit TLS is non standard. The RFC specifies that explicit TLS should be the only mechanisms. And there are, to my knowledge, no intentions by the working group to change this.
Yes I know you can configure Dovecot to offer implicit TLS but this is considered by the dovecot devs as a configuration error and completely unsupported. Technically it is a bug and not a feature that you can enable in dovecot this non compliant configuration. Theoretically it could go away with each release, but it is unlikely to happen.
The main reason why it is hard coded in the WebExtension is that the extension simply does not support it. Thunderbird's socket implementation is old, non intuitive and full of strange bugs and corner cases. It would need a major rewrite, basically a parallel implementation for implicit and explicit. For the standalone application it could be solved with a simple if deciding when to call startTLS. But this is not possible with Thunderbird. On an insecure socket you can call starttls only after sending data. And a secure socket which implies explicit TLS uses a different logic.
Thus this is from my point of view a won't fix. It does not make sense to go the extra mile and invest lots of time time to something non standard which is rarely used and considered by mail servers as configuration error. There are way more important things which could be done.
And if you really need it for some reason then you can still use the app which supports this non standard mode.
Prerequisites
Is your feature request related to a problem?
We've got a setup with Mailu (https://github.com/Mailu/Mailu/pull/2773) where we use nginx in front of Dovecot, making it only supporting implicit TLS for sieve. I've the the latest build for the Linux AppImage and this works fine as we can set the TLS setting to implicit. However, the Thunderbird extension has that setting hardcoded to explicit TLS: https://github.com/thsmi/sieve/blob/dfeeac10cb5cf65b08b31360229053bcdae50174/src/wx/libs/libManageSieve/SieveClient.mjs#L76
Describe the solution you'd like
Could you add a setting in the Thunderbird extension to change the TLS connection to implicit?
Describe alternatives you've considered
Tried implementing it myself, but didn't manage to make it work. Using the Linux client app works, but it would be better to have it supported directly in Thunderbird.
Additional context
N/A