Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforcement of ID before SELECT #25

Open
soywod opened this issue May 11, 2024 · 9 comments
Open

Enforcement of ID before SELECT #25

soywod opened this issue May 11, 2024 · 9 comments
Labels
AFFECTED=imap.163.com HELP WANTED PROTO=IMAP Related to IMAP protocol STATE=REPRODUCED Issue could be reproduced (explained in issue)

Comments

@soywod
Copy link

soywod commented May 11, 2024

https://todo.sr.ht/~soywod/pimalaya/201

@duesee
Copy link
Member

duesee commented May 11, 2024

Testing ...

$ openssl s_client -crlf -connect imap.163.com:993
* OK IMAP4 ready
a login test@163.com abcdef
a NO LOGIN Login error or password error
$ nc -C imap.163.com 143
* OK IMAP4 ready
a login test@163.com abcdef
a NO LOGIN Login error or password error

It sounds a bit like "server reporting unencrypted login", but it doesn't seem to be the case as we get the same error with and w/o encryption.

Do we need valid credentials to reproduce the Unsafe Login. Please contact kefu@188.com for help message?

@duesee duesee changed the title imap: provider forcing id before select Enforcement of ID before `SELECT May 11, 2024
@duesee duesee added the PROTO=IMAP Related to IMAP protocol label May 11, 2024
@duesee duesee changed the title Enforcement of ID before `SELECT Enforcement of ID before SELECT May 11, 2024
@soywod
Copy link
Author

soywod commented May 15, 2024 via email

@soywod
Copy link
Author

soywod commented May 21, 2024 via email

@duesee
Copy link
Member

duesee commented May 21, 2024

Can you write me a PM on Matrix? :-)

@soywod
Copy link
Author

soywod commented Aug 19, 2024

Which action needs to be done for this issue? Contacting the mail provider? From my side I can add a config option to exchange ids after authentication.

@epilys
Copy link

epilys commented Aug 19, 2024

This is a vendor issue since they are implementing the standard wrong, so yes, contact them.

@duesee
Copy link
Member

duesee commented Aug 19, 2024

Grr... sorry. I still have "Recheck 188.com" on my TODO list but so little time... Were you able to reproduce it with the credentials you got to clearly see it's the missing ID provoking the error?

I think there is not a good way to mitigate this unfortunately...

If you add an option to send ID, you have to maintain the option. But: How do you know when to activate it? Only for 188.com? Seems weird to give them free advertisement for bad behavior... Always sending ID just to mitigate this is not great either :-/ Fingers crossed they will fix it.

@soywod
Copy link
Author

soywod commented Aug 20, 2024

Were you able to reproduce it with the credentials you got to clearly see it's the missing ID provoking the error?

No, I can do it tomorrow morning.

How do you know when to activate it?

I thought to have a config entry that triggers the ids exchange after client creation (sth generic, not related to 163). Users should enable the option manually. This could be documented, in a dedicated 163 section. A bit like the Gmail section and App password.

@soywod
Copy link
Author

soywod commented Aug 21, 2024

I confirm the defect:

$ openssl s_client -crlf -connect imap.163.com:993
* OK IMAP4 ready

A1 LOGIN pimalaya@163.com *****
A1 OK LOGIN completed

A2 SELECT INBOX
A2 NO SELECT Unsafe Login. Please contact kefu@188.com for help

It's even worse, 163 imposes you to send non-empty ID (no matter the content, I tried with different values):

A3 ID ()
* ID ("name" "Coremail Imap" "vendor" "Mailtech" "TransID" "IcalGAAAAAuSxWbphHkA")
A3 OK ID completed

A4 SELECT INBOX
A4 NO SELECT Unsafe Login. Please contact kefu@188.com for help

A5 ID ("dumb" "id")
* ID ("name" "Coremail Imap" "vendor" "Mailtech" "TransID" "IcalGAAAAAuSxWbphHkA")
A5 OK ID completed

A6 SELECT INBOX
* 2 EXISTS
* 2 RECENT
* OK [UIDVALIDITY 1] UIDs valid
* FLAGS (\Answered \Seen \Deleted \Draft \Flagged)
* OK [PERMANENTFLAGS (\Answered \Seen \Deleted \Draft \Flagged)] Limited
A6 OK [READ-WRITE] SELECT completed

As stated in RFC2871:

Servers MUST NOT deny access to or refuse service for a client based on information from the ID command

I will contact them and let you know.

@duesee duesee added STATE=REPRODUCED Issue could be reproduced (explained in issue) and removed STATE=UNKNOWN More information needed labels Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
AFFECTED=imap.163.com HELP WANTED PROTO=IMAP Related to IMAP protocol STATE=REPRODUCED Issue could be reproduced (explained in issue)
Projects
None yet
Development

No branches or pull requests

3 participants