Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No enforcement of STARTTLS. #669

duesee opened this issue May 29, 2020 · 1 comment

No enforcement of STARTTLS. #669

duesee opened this issue May 29, 2020 · 1 comment


Copy link

duesee commented May 29, 2020

Offlineimap does not enforce the use of STARTTLS when the server does not advertise the STARTTLS capability. Instead, it will provide the credentials in plaintext.

I wanted to raise the question if this is supposed to stay like this or could possibly be changed such that when STARTTLS is configured it is enforced. In the case the server does not advertise STARTTLS, the correct behaviour should be to provide a hint to use implicit TLS instead (preferred) or to require from the user to explicitly enable this behaviour (with a warning.)

I evaluated that behaviour in a ton of email clients and offlineimap is really one of the very few clients still behaving that way. This should really be changed. See also

Edit: in case STARTTLS will be enforced in the future, the certificate must obviously also be checked. Otherwise this doesn't help a lot :-)

Edit 2: I made the suggestion clearer.

Copy link

Absolutely agree. Email security is paramount importance! This old way of doing security (silent downgrade to cleartext zero encryption, just to accomplish the goal of running the completing the task) MUST be fixed to enforce encryption and fail with informative message when unable to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

3 participants