Package: claws-mail Version: 3.11.1-3+deb8u1 Severity: important Dear Maintainer,
claws-mail leaks the client hostname (or if available the FQDN) revealing potential confidential information about the network structure and allowing to (re-)identify the client on the network/internet. Steps to reproduce: Setup an account using starttls to secure the smtp connection. Send an email while capturing the traffic using wireshark. Look at the line with the ehlo command from the client to the server. Actual results: The client sends an ehlo request to the server to start the tls connection. this request contains the hostname of the client. e.g. ehlo client123.company.domain or ehlo myuniquehostname Expected results: According to the smtp protocol definition, the ehlo command sends the "client" FQDN to the remote server, assuming however a server to server connection. Some other Mail Clients use the hostname for the ehlo command, some use even the private ip (e.g. outlook) which can even be critical in case the client uses a VPN connection. The ehlo command does not need a specific string to be accepted by the server. "ehlo random_string" is accepted just als well. Since there is no need to send any specific information and according to RFC 2821 sending the hostname is not necessary, the optimal solution would be to send a random string. That would also provide the most privacy. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages claws-mail depends on: ii libarchive13 3.1.2-11 ii libassuan0 2.1.2-2 ii libatk1.0-0 2.14.0-1 ii libc6 2.19-18+deb8u2 ii libcairo2 1.14.0-2.1 ii libcompfaceg1 1:1.5.2-5 ii libdb5.3 5.3.28-9 ii libdbus-1-3 1.8.20-0+deb8u1 ii libdbus-glib-1-2 0.102-1 ii libenchant1c2a 1.6.0-10.1 ii libetpan17 1.5-2 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-3+deb8u1 ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u4 ii libglib2.0-0 2.42.1-1 ii libgnutls-deb0-28 3.3.8-6+deb8u3 ii libgpg-error0 1.17-3 ii libgpgme11 1.5.1-6 ii libgtk2.0-0 2.24.25-3 ii libice6 2:1.0.9-1+b1 ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2 ii liblockfile1 1.09-6 ii libpango-1.0-0 1.36.8-3 ii libpangocairo-1.0-0 1.36.8-3 ii libpangoft2-1.0-0 1.36.8-3 ii libpisock9 0.12.5-dfsg-1 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii libsm6 2:1.2.2-1+b1 ii xdg-utils 1.1.0~rc1+git20111210-7.4 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages claws-mail recommends: ii aspell-en [aspell-dictionary] 7.1-0-1.1 ii claws-mail-i18n 3.11.1-3+deb8u1 ii xfonts-100dpi 1:1.0.3 ii xfonts-75dpi 1:1.0.3 Versions of packages claws-mail suggests: pn claws-mail-doc <none> pn claws-mail-tools <none> ii gedit 3.14.0-3 ii iceweasel [www-browser] 38.6.0esr-1~deb8u1 -- no debconf information
