Allow very insecure connections

pull/162/head
M66B 5 years ago
parent 20d0760675
commit 2cfc1a8fad

@ -104,7 +104,7 @@ FairEmail follows all the best practices for an email client as decribed in [thi
* [(1) Which permissions are needed and why?](#user-content-faq1)
* [(2) Why is there a permanent notification shown?](#user-content-faq2)
* [(3) What are operations and why are they pending?](#user-content-faq3)
* [(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?](#user-content-faq4)
* [(4) How can I use an invalid security certificate / empty password / plain text connection?](#user-content-faq4)
* [(5) How can I customize the message view?](#user-content-faq5)
* [(6) How can I login to Gmail / G suite?](#user-content-faq6)
* [(7) Why are sent messages not appearing (directly) in the sent folder?](#user-content-faq7)
@ -345,24 +345,29 @@ See also [this FAQ](#user-content-faq16).
<br />
<a name="faq4"></a>
**(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?**
**(4) How can I use an invalid security certificate / empty password / plain text connection?**
Invalid security certificate (*Can't verify identity of server*): you should try to fix this by contacting your provider or by getting a valid security certificate
*Invalid security certificate* (Can't verify identity of server)
You should try to fix this by contacting your provider or by getting a valid security certificate
because invalid security certificates are insecure and allow [man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
If money is an obstacle, you can get free security certificates from [Lets Encrypt](https://letsencrypt.org).
Note that older Android versions might not recognize newer certification authorities like Lets Encrypt causing connections to be considered insecure,
see also [here](https://developer.android.com/training/articles/security-ssl).
IMAP STARTTLS: the EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery):
"*Additionally, even if you configure STARTTLS perfectly and use a valid certificate, theres still no guarantee your communication will be encrypted.*"
*Empty password*
Empty password: your username is likely easily guessed, so this is very insecure.
Your username is likely easily guessed, so this is insecure.
If you still want to use an invalid security certificate, IMAP STARTTLS or an empty password,
you'll need to enable insecure connections in the account and/or identity settings.
*Plain text connection*
Connections without encryption (either SSL or STARTTLS) are not supported because this is very insecure.
Your username and password and all messages will be sent and received unencrypted, which is **very insecure**
because a [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) is very simple on an unecrypted connection.
If you still want to use an invalid security certificate, an empty password or a plain text connection
you'll need to enable insecure connections in the account and/or identity settings.
STARTTLS should be selected for plain text connections.
<br />
@ -1077,7 +1082,7 @@ The following information is needed:
```
<provider
name="Gmail"
link="https://support.google.com/mail/answer/7126229" // setup instructions
link="https://support.google.com/mail/answer/7126229" // link to the instructions of the provider
type="com.google"> // this is not needed
<imap
host="imap.gmail.com"
@ -1087,6 +1092,7 @@ The following information is needed:
host="smtp.gmail.com"
port="465"
starttls="false" />
</provider>
```
The EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery):

@ -18,7 +18,6 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.ExecutorService;
@ -61,6 +60,7 @@ public class MailService implements AutoCloseable {
this.context = context.getApplicationContext();
this.protocol = protocol;
this.debug = debug;
properties = MessageHelper.getSessionProperties();
properties.put("mail.event.scope", "folder");
@ -69,19 +69,20 @@ public class MailService implements AutoCloseable {
properties.put("mail." + protocol + ".sasl.realm", realm == null ? "" : realm);
properties.put("mail." + protocol + ".auth.ntlm.domain", realm == null ? "" : realm);
String checkserveridentity = Boolean.toString(!insecure).toLowerCase(Locale.ROOT);
if (debug && BuildConfig.DEBUG)
properties.put("mail.debug.auth", "true");
if ("pop3".equals(protocol) || "pop3s".equals(protocol)) {
this.debug = true;
// https://javaee.github.io/javamail/docs/api/com/sun/mail/pop3/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.pop3s.starttls.enable", "false");
properties.put("mail.pop3.starttls.enable", "true");
properties.put("mail.pop3.starttls.required", "true");
properties.put("mail.pop3.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@ -90,13 +91,13 @@ public class MailService implements AutoCloseable {
} else if ("imap".equals(protocol) || "imaps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/imap/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.imaps.starttls.enable", "false");
properties.put("mail.imap.starttls.enable", "true");
properties.put("mail.imap.starttls.required", "true");
properties.put("mail.imap.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@ -122,13 +123,13 @@ public class MailService implements AutoCloseable {
} else if ("smtp".equals(protocol) || "smtps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html#properties
properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.smtps.starttls.enable", "false");
properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.smtp.starttls.required", "true");
properties.put("mail.smtp.starttls.required", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".auth", "true");

@ -171,6 +171,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port -->
<TextView
@ -181,7 +192,7 @@
android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText
android:id="@+id/etPort"
@ -783,7 +794,7 @@
android:layout_height="0dp"
app:constraint_referenced_ids="
tvDomain,tvDomainHint,etDomain,btnAutoConfig,
tvImap,tvActiveSyncSupport,tvHost,etHost,rgEncryption,cbInsecure,tvPort,etPort" />
tvImap,tvActiveSyncSupport,tvHost,etHost,rgEncryption,cbInsecure,tvInsecureRemark,tvPort,etPort" />
<androidx.constraintlayout.widget.Group
android:id="@+id/grpAuthorize"

@ -342,6 +342,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port -->
<TextView
@ -352,7 +363,7 @@
android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText
android:id="@+id/etPort"
@ -657,7 +668,7 @@
app:constraint_referenced_ids="
tvProvider,spProvider,
tvDomain,tvDomainHint,etDomain,btnAutoConfig,
tvSmtp,tvHost,etHost,rgEncryption,cbInsecure,tvPort,etPort,
tvSmtp,tvHost,etHost,rgEncryption,cbInsecure,tvInsecureRemark,tvPort,etPort,
tvUser,etUser,tvPassword,tilPassword,
tvRealm,etRealm,
cbUseIp,tvUseIpHint,

@ -78,6 +78,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
<TextView
android:id="@+id/tvInsecureRemark"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="6dp"
android:text="@string/title_insecure_remark"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
android:textStyle="italic"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
<!-- port -->
<TextView
@ -88,7 +99,7 @@
android:text="@string/title_port"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/cbInsecure" />
app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
<EditText
android:id="@+id/etPort"

@ -396,6 +396,7 @@
<string name="title_ssl" translatable="false">SSL/TLS</string>
<string name="title_starttls" translatable="false">STARTTLS</string>
<string name="title_allow_insecure">Allow insecure connections</string>
<string name="title_insecure_remark">Insecure connections should only be allowed on trusted networks and never on public networks</string>
<string name="title_port">Port number</string>
<string name="title_user">User name</string>
<string name="title_password">Password</string>

Loading…
Cancel
Save