I tested with Thunderbird (where the account was working fine with
stable version and encrypted password on starttls)
and the message came up after the upgrade to change to normal password.
When lamba users will get that message they ll just panic and wont know
what to do.
I still need to check how outlook will react ...
On 1/25/19 10:52 AM, Tommi Järvilehto wrote:
Was there a problem with Outlook and encrypted passwords? Or the
password cache?
On 25.1.2019 11:43, Philip Nix Guru wrote:
Hello
Yes that's one of the reason I was wondering why encrypted password
was no longer supported for STARTTLS in the lastest dev version
Regards
-P
On 1/25/19 8:56 AM, Andrew Swartz wrote:
I would add the caveat that STARTTLS is only "probably safe".
Unfortunately, it suffers from a critical error in the very concept
of going from an plaintext session to a TLS session, resulting in an
unfixable (as far as I know) vulnerability. A man-in-the-middle can
inject text into the server response to tell the client that
STARTTLS is not available and that the conversation should therefore
continue in plaintext. I've read that several ISP's have been
caught using this vulnerability to scan people's outgoing email.
That means PLAIN or LOGIN type submission passwords can be seen.
This is why the 2018 RFC (https://tools.ietf.org/html/rfc8314) has
strongly recommended abandoning STARTTLS on port 587 and using
dedicated TLS on port 465 for mail submission.
-Andy
On 1/24/2019 9:30 PM, Eric Broch wrote:
The password is not encrypted (Normal) but is sent over an
encrypted connection, it's safe.
On 1/24/2019 5:39 PM, Philip Nix Guru wrote:
Hello
I was testing the dev version (an upgrade over the stable version)
and came through that annoying problem
if I have to advise all users to change their config :
Sending of the message failed.
The Outgoing server (SMTP) xxxxxx does not seem to support
encrypted passwords. If you just set up the account, try changing
the 'Authentication method' in 'Account settings | Outgoing server
(SMTP)' to 'Normal password'.
All the users having a starttls config in their mail client had to
change from encrypted to normal
which of course brought the question "oh it is not safe anymore ..."
Regards
-Philip
---------------------------------------------------------------------
To unsubscribe, e-mail:
[email protected]
For additional commands, e-mail:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
