mirror
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Allow very insecure connections

This commit is contained in:
M66B 2019-10-03 11:39:14 +02:00
parent 20d0760675
commit 2cfc1a8fad
6 changed files with 64 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
FAQ.md
View File

@ -104,7 +104,7 @@ FairEmail follows all the best practices for an email client as decribed in [thi
* [(1) Which permissions are needed and why?](#user-content-faq1)
* [(2) Why is there a permanent notification shown?](#user-content-faq2)
* [(3) What are operations and why are they pending?](#user-content-faq3)
* [(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?](#user-content-faq4)
* [(4) How can I use an invalid security certificate / empty password / plain text connection?](#user-content-faq4)
* [(5) How can I customize the message view?](#user-content-faq5)
* [(6) How can I login to Gmail / G suite?](#user-content-faq6)
* [(7) Why are sent messages not appearing (directly) in the sent folder?](#user-content-faq7)
@ -345,24 +345,29 @@ See also [this FAQ](#user-content-faq16).
<br />
<a name="faq4"></a>
**(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?**
**(4) How can I use an invalid security certificate / empty password / plain text connection?**
Invalid security certificate (*Can't verify identity of server*): you should try to fix this by contacting your provider or by getting a valid security certificate
*Invalid security certificate* (Can't verify identity of server)
You should try to fix this by contacting your provider or by getting a valid security certificate
because invalid security certificates are insecure and allow [man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
If money is an obstacle, you can get free security certificates from [Lets Encrypt](https://letsencrypt.org).
Note that older Android versions might not recognize newer certification authorities like Lets Encrypt causing connections to be considered insecure,
see also [here](https://developer.android.com/training/articles/security-ssl).
IMAP STARTTLS: the EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery):
"*Additionally, even if you configure STARTTLS perfectly and use a valid certificate, theres still no guarantee your communication will be encrypted.*"
*Empty password*
Empty password: your username is likely easily guessed, so this is very insecure.
Your username is likely easily guessed, so this is insecure.
If you still want to use an invalid security certificate, IMAP STARTTLS or an empty password,
*Plain text connection*
Your username and password and all messages will be sent and received unencrypted, which is **very insecure**
because a [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) is very simple on an unecrypted connection.
If you still want to use an invalid security certificate, an empty password or a plain text connection
you'll need to enable insecure connections in the account and/or identity settings.
Connections without encryption (either SSL or STARTTLS) are not supported because this is very insecure.
STARTTLS should be selected for plain text connections.
<br />
@ -1077,7 +1082,7 @@ The following information is needed:
```
<provider
name="Gmail"
link="https://support.google.com/mail/answer/7126229" // setup instructions
link="https://support.google.com/mail/answer/7126229" // link to the instructions of the provider
type="com.google"> // this is not needed
<imap
host="imap.gmail.com"
@ -1087,6 +1092,7 @@ The following information is needed:
host="smtp.gmail.com"
port="465"
starttls="false" />
</provider>
```
The EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery):

17
app/src/main/java/eu/faircode/email/MailService.java
View File

@ -18,7 +18,6 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.ExecutorService;
@ -61,6 +60,7 @@ public class MailService implements AutoCloseable {
this.context = context.getApplicationContext();
this.protocol = protocol;
this.debug = debug;
properties = MessageHelper.getSessionProperties();
properties.put("mail.event.scope", "folder");
@ -69,19 +69,20 @@ public class MailService implements AutoCloseable {
properties.put("mail." + protocol + ".sasl.realm", realm == null ? "" : realm);
properties.put("mail." + protocol + ".auth.ntlm.domain", realm == null ? "" : realm);
String checkserveridentity = Boolean.toString(!insecure).toLowerCase(Locale.ROOT);
if (debug && BuildConfig.DEBUG)
properties.put("mail.debug.auth", "true");
if ("pop3".equals(protocol) || "pop3s".equals(protocol)) {
this.debug = true;
// https://javaee.github.io/javamail/docs/api/com/sun/mail/pop3/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.pop3s.starttls.enable", "false");
properties.put("mail.pop3.starttls.enable", "true");
properties.put("mail.pop3.starttls.required", "true");
properties.put("mail.pop3.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@ -90,13 +91,13 @@ public class MailService implements AutoCloseable {
} else if ("imap".equals(protocol) || "imaps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/imap/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.imaps.starttls.enable", "false");
properties.put("mail.imap.starttls.enable", "true");
properties.put("mail.imap.starttls.required", "true");
properties.put("mail.imap.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@ -122,13 +123,13 @@ public class MailService implements AutoCloseable {
} else if ("smtp".equals(protocol) || "smtps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.smtps.starttls.enable", "false");
properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.smtp.starttls.required", "true");
properties.put("mail.smtp.starttls.required", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".auth", "true");

15
app/src/main/res/layout/fragment_account.xml
View File

@ -171,6 +171,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port -->
<TextView
@ -181,7 +192,7 @@
android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText
android:id="@+id/etPort"
@ -783,7 +794,7 @@
android:layout_height="0dp"
app:constraint_referenced_ids="
tvDomain,tvDomainHint,etDomain,btnAutoConfig,
tvImap,tvActiveSyncSupport,tvHost,etHost,rgEncryption,cbInsecure,tvPort,etPort" />
tvImap,tvActiveSyncSupport,tvHost,etHost,rgEncryption,cbInsecure,tvInsecureRemark,tvPort,etPort" />
<androidx.constraintlayout.widget.Group
android:id="@+id/grpAuthorize"

15
app/src/main/res/layout/fragment_identity.xml
View File

@ -342,6 +342,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port -->
<TextView
@ -352,7 +363,7 @@
android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText
android:id="@+id/etPort"
@ -657,7 +668,7 @@
app:constraint_referenced_ids="
tvProvider,spProvider,
tvDomain,tvDomainHint,etDomain,btnAutoConfig,
tvSmtp,tvHost,etHost,rgEncryption,cbInsecure,tvPort,etPort,
tvSmtp,tvHost,etHost,rgEncryption,cbInsecure,tvInsecureRemark,tvPort,etPort,
tvUser,etUser,tvPassword,tilPassword,
tvRealm,etRealm,
cbUseIp,tvUseIpHint,

13
app/src/main/res/layout/fragment_pop.xml
View File

@ -78,6 +78,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port -->
<TextView
@ -88,7 +99,7 @@
android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText
android:id="@+id/etPort"

1
app/src/main/res/values/strings.xml
View File

@ -396,6 +396,7 @@
<string name="title_ssl" translatable="false">SSL/TLS</string>
<string name="title_starttls" translatable="false">STARTTLS</string>
<string name="title_allow_insecure">Allow insecure connections</string>
<string name="title_insecure_remark">Insecure connections should only be allowed on trusted networks and never on public networks</string>
<string name="title_port">Port number</string>
<string name="title_user">User name</string>
<string name="title_password">Password</string>