msb-public
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Code Issues Projects Releases Wiki Activity

Allow very insecure connections

Browse Source
pull/162/head
M66B 5 years ago
parent 20d0760675
commit 2cfc1a8fad
6 changed files with 64 additions and 23 deletions
Show Stats Download Patch File Download Diff File

26
FAQ.md
Unescape View File

@ -104,7 +104,7 @@ FairEmail follows all the best practices for an email client as decribed in [thi
* [(1) Which permissions are needed and why?](#user-content-faq1) * [(1) Which permissions are needed and why?](#user-content-faq1)
* [(2) Why is there a permanent notification shown?](#user-content-faq2) * [(2) Why is there a permanent notification shown?](#user-content-faq2)
* [(3) What are operations and why are they pending?](#user-content-faq3) * [(3) What are operations and why are they pending?](#user-content-faq3)
* [(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?](#user-content-faq4) * [(4) How can I use an invalid security certificate / empty password / plain text connection?](#user-content-faq4)
* [(5) How can I customize the message view?](#user-content-faq5) * [(5) How can I customize the message view?](#user-content-faq5)
* [(6) How can I login to Gmail / G suite?](#user-content-faq6) * [(6) How can I login to Gmail / G suite?](#user-content-faq6)
* [(7) Why are sent messages not appearing (directly) in the sent folder?](#user-content-faq7) * [(7) Why are sent messages not appearing (directly) in the sent folder?](#user-content-faq7)
@ -345,24 +345,29 @@ See also [this FAQ](#user-content-faq16).
<br /> <br />
<a name="faq4"></a> <a name="faq4"></a>
**(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?** **(4) How can I use an invalid security certificate / empty password / plain text connection?**
Invalid security certificate (*Can't verify identity of server*): you should try to fix this by contacting your provider or by getting a valid security certificate *Invalid security certificate* (Can't verify identity of server)
You should try to fix this by contacting your provider or by getting a valid security certificate
because invalid security certificates are insecure and allow [man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). because invalid security certificates are insecure and allow [man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
If money is an obstacle, you can get free security certificates from [Lets Encrypt](https://letsencrypt.org). If money is an obstacle, you can get free security certificates from [Lets Encrypt](https://letsencrypt.org).
Note that older Android versions might not recognize newer certification authorities like Lets Encrypt causing connections to be considered insecure, Note that older Android versions might not recognize newer certification authorities like Lets Encrypt causing connections to be considered insecure,
see also [here](https://developer.android.com/training/articles/security-ssl). see also [here](https://developer.android.com/training/articles/security-ssl).
IMAP STARTTLS: the EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery): *Empty password*
"*Additionally, even if you configure STARTTLS perfectly and use a valid certificate, theres still no guarantee your communication will be encrypted.*"
Empty password: your username is likely easily guessed, so this is very insecure. Your username is likely easily guessed, so this is insecure.
If you still want to use an invalid security certificate, IMAP STARTTLS or an empty password, *Plain text connection*
you'll need to enable insecure connections in the account and/or identity settings.
Connections without encryption (either SSL or STARTTLS) are not supported because this is very insecure. Your username and password and all messages will be sent and received unencrypted, which is **very insecure**
because a [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) is very simple on an unecrypted connection.
If you still want to use an invalid security certificate, an empty password or a plain text connection
you'll need to enable insecure connections in the account and/or identity settings.
STARTTLS should be selected for plain text connections.
<br /> <br />
@ -1077,7 +1082,7 @@ The following information is needed:
``` ```
<provider <provider
name="Gmail" name="Gmail"
link="https://support.google.com/mail/answer/7126229" // setup instructions link="https://support.google.com/mail/answer/7126229" // link to the instructions of the provider
type="com.google"> // this is not needed type="com.google"> // this is not needed
<imap <imap
host="imap.gmail.com" host="imap.gmail.com"
@ -1087,6 +1092,7 @@ The following information is needed:
host="smtp.gmail.com" host="smtp.gmail.com"
port="465" port="465"
starttls="false" /> starttls="false" />
</provider>
``` ```
The EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery): The EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery):

17
app/src/main/java/eu/faircode/email/MailService.java
Unescape View File

@ -18,7 +18,6 @@ import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.List; import java.util.List;
import java.util.Locale;
import java.util.Map; import java.util.Map;
import java.util.Properties; import java.util.Properties;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
@ -61,6 +60,7 @@ public class MailService implements AutoCloseable {
this.context = context.getApplicationContext(); this.context = context.getApplicationContext();
this.protocol = protocol; this.protocol = protocol;
this.debug = debug; this.debug = debug;
properties = MessageHelper.getSessionProperties(); properties = MessageHelper.getSessionProperties();
properties.put("mail.event.scope", "folder"); properties.put("mail.event.scope", "folder");
@ -69,19 +69,20 @@ public class MailService implements AutoCloseable {
properties.put("mail." + protocol + ".sasl.realm", realm == null ? "" : realm); properties.put("mail." + protocol + ".sasl.realm", realm == null ? "" : realm);
properties.put("mail." + protocol + ".auth.ntlm.domain", realm == null ? "" : realm); properties.put("mail." + protocol + ".auth.ntlm.domain", realm == null ? "" : realm);
String checkserveridentity = Boolean.toString(!insecure).toLowerCase(Locale.ROOT); if (debug && BuildConfig.DEBUG)
properties.put("mail.debug.auth", "true");
if ("pop3".equals(protocol) || "pop3s".equals(protocol)) { if ("pop3".equals(protocol) || "pop3s".equals(protocol)) {
this.debug = true; this.debug = true;
// https://javaee.github.io/javamail/docs/api/com/sun/mail/pop3/package-summary.html#properties // https://javaee.github.io/javamail/docs/api/com/sun/mail/pop3/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity); properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*"); properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.pop3s.starttls.enable", "false"); properties.put("mail.pop3s.starttls.enable", "false");
properties.put("mail.pop3.starttls.enable", "true"); properties.put("mail.pop3.starttls.enable", "true");
properties.put("mail.pop3.starttls.required", "true"); properties.put("mail.pop3.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable? // TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT)); properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@ -90,13 +91,13 @@ public class MailService implements AutoCloseable {
} else if ("imap".equals(protocol) || "imaps".equals(protocol)) { } else if ("imap".equals(protocol) || "imaps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/imap/package-summary.html#properties // https://javaee.github.io/javamail/docs/api/com/sun/mail/imap/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity); properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*"); properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.imaps.starttls.enable", "false"); properties.put("mail.imaps.starttls.enable", "false");
properties.put("mail.imap.starttls.enable", "true"); properties.put("mail.imap.starttls.enable", "true");
properties.put("mail.imap.starttls.required", "true"); properties.put("mail.imap.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable? // TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT)); properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@ -122,13 +123,13 @@ public class MailService implements AutoCloseable {
} else if ("smtp".equals(protocol) || "smtps".equals(protocol)) { } else if ("smtp".equals(protocol) || "smtps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html#properties // https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity); properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*"); properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.smtps.starttls.enable", "false"); properties.put("mail.smtps.starttls.enable", "false");
properties.put("mail.smtp.starttls.enable", "true"); properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.smtp.starttls.required", "true"); properties.put("mail.smtp.starttls.required", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".auth", "true"); properties.put("mail." + protocol + ".auth", "true");

15
app/src/main/res/layout/fragment_account.xml
Unescape View File

@ -171,6 +171,17 @@
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" /> app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port --> <!-- port -->
<TextView <TextView
@ -181,7 +192,7 @@
android:text="@string/title_port" android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small" android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" /> app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText <EditText
android:id="@+id/etPort" android:id="@+id/etPort"
@ -783,7 +794,7 @@
android:layout_height="0dp" android:layout_height="0dp"
app:constraint_referenced_ids=" app:constraint_referenced_ids="
tvDomain,tvDomainHint,etDomain,btnAutoConfig, tvDomain,tvDomainHint,etDomain,btnAutoConfig,
tvImap,tvActiveSyncSupport,tvHost,etHost,rgEncryption,cbInsecure,tvPort,etPort" /> tvImap,tvActiveSyncSupport,tvHost,etHost,rgEncryption,cbInsecure,tvInsecureRemark,tvPort,etPort" />
<androidx.constraintlayout.widget.Group <androidx.constraintlayout.widget.Group
android:id="@+id/grpAuthorize" android:id="@+id/grpAuthorize"

15
app/src/main/res/layout/fragment_identity.xml
Unescape View File

@ -342,6 +342,17 @@
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" /> app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port --> <!-- port -->
<TextView <TextView
@ -352,7 +363,7 @@
android:text="@string/title_port" android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small" android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" /> app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText <EditText
android:id="@+id/etPort" android:id="@+id/etPort"
@ -657,7 +668,7 @@
app:constraint_referenced_ids=" app:constraint_referenced_ids="
tvProvider,spProvider, tvProvider,spProvider,
tvDomain,tvDomainHint,etDomain,btnAutoConfig, tvDomain,tvDomainHint,etDomain,btnAutoConfig,
tvSmtp,tvHost,etHost,rgEncryption,cbInsecure,tvPort,etPort, tvSmtp,tvHost,etHost,rgEncryption,cbInsecure,tvInsecureRemark,tvPort,etPort,
tvUser,etUser,tvPassword,tilPassword, tvUser,etUser,tvPassword,tilPassword,
tvRealm,etRealm, tvRealm,etRealm,
cbUseIp,tvUseIpHint, cbUseIp,tvUseIpHint,

13
app/src/main/res/layout/fragment_pop.xml
Unescape View File

@ -78,6 +78,17 @@
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" /> app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port --> <!-- port -->
<TextView <TextView
@ -88,7 +99,7 @@
android:text="@string/title_port" android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small" android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" /> app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText <EditText
android:id="@+id/etPort" android:id="@+id/etPort"

1
app/src/main/res/values/strings.xml
Unescape View File

@ -396,6 +396,7 @@
<string name="title_ssl" translatable="false">SSL/TLS</string> <string name="title_ssl" translatable="false">SSL/TLS</string>
<string name="title_starttls" translatable="false">STARTTLS</string> <string name="title_starttls" translatable="false">STARTTLS</string>
<string name="title_allow_insecure">Allow insecure connections</string> <string name="title_allow_insecure">Allow insecure connections</string>
<string name="title_insecure_remark">Insecure connections should only be allowed on trusted networks and never on public networks</string>
<string name="title_port">Port number</string> <string name="title_port">Port number</string>
<string name="title_user">User name</string> <string name="title_user">User name</string>
<string name="title_password">Password</string> <string name="title_password">Password</string>

Write Preview
Loading…
Cancel
Save