[Bug 847989] New: Alpine mailtool will not remember Outgoing SMTP Password between sessions
https://bugzilla.novell.com/show_bug.cgi?id=847989 https://bugzilla.novell.com/show_bug.cgi?id=847989#c0 Summary: Alpine mailtool will not remember Outgoing SMTP Password between sessions Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: craig@arno.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 I setup outgoing SMTP to use my ISP's mail delivery system. The exact format required by Alpine smtp-server for Frontier is: smtp.frontier.com:465/user=myusername@frontier.com/ssl This works fine and prompts me for my Frontier "myuseracct" password with the first email sent. I provide the password and it works, sending email without further prompting while in the Alpine application. As soon as I exit to the command shell and restart Alpine, I'm again prompted for my ISP password. i.e. Alpine isn't saving the SMTP password between session invocations. A little checking and it looks like this feature has to be added at compile build time with a compiler switch. Once done, the password is remembered in a ".pine-passfile" in the users home directory. I need this feature added to the OpenSUSE 12.2 / 12.3 releases so I don't have to give users my upstream provider account password so they can send email using the OpenSUSE 12.2/12.3 x64 Alpine. Reproducible: Always Steps to Reproduce: 1.Configure Alpine to use ISP's SMTP server with Authentication 2.Compose and send an email through your ISP's SMTP server, entering your password when prompted. 3.Exit the Alpine mailtool 4.Start Alpine and Compose/Send a second email 5.Notice you are -again- prompted for your ISP's password (it should have been saved in the file ~/.pine-passfile and this second prompt shouldn't happen) Actual Results: As described above. Expected Results: I expect Alpine to remember passwords for my upstream SMTP connection. This will prevent having to give regular users the "keys to the city" to send email using Alpine. This is a security problem making this tool unusable by any other than the system administrator until it is fixed. This is a silly default for a build introduced by the Alpine team. I have one user who insists he wants to use the command line and Alpine for email. He also likes to use Lynx for browsing. If this "default" behavior can be remedied, life with Alpine/OpenSUSE will be smoother. I marked this "Major" because this user can't use Alpine for sending email until the option to use a saved SMTP Auth Password is compiled into the application. The Alpine application otherwise appears to be working. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847989
https://bugzilla.novell.com/show_bug.cgi?id=847989#c
zhang jiajun
https://bugzilla.novell.com/show_bug.cgi?id=847989
https://bugzilla.novell.com/show_bug.cgi?id=847989#c1
Reinhard Max
A little checking and it looks like this feature has to be added at compile build time with a compiler switch. Once done, the password is remembered in a ".pine-passfile" in the users home directory.
This feature is being compiled into our pine package already (as can be seen by the presence of the -passfile option in 'alpine -h' output), but the filename is ~/.pinepw .
I need this feature added to the OpenSUSE 12.2 / 12.3 releases so I don't have to give users my upstream provider account password so they can send email using the OpenSUSE 12.2/12.3 x64 Alpine.
Please note that using the save password feature doesn't really keep your password secret, because your users can read their ~/.pinepw file. Also, the compile-time switch for enabling this is marked as "NOT secure, NOT recommended". If you want to share your outgoing SMTP account with your users, the right way to do so is to set up a local or site-wide mail transport agent such as postfix, qmail or sendmail to which your users can submit their mail without authentication and which in turn uses your SMTP credentials to pass it on to the provider.
This is a security problem making this tool unusable by any other than the system administrator until it is fixed.
As explained above, using this feature opens a security problem rather than closing one, especially when trying to abuse it for password distribution, so please don't do that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847989
https://bugzilla.novell.com/show_bug.cgi?id=847989#c2
--- Comment #2 from Craig Arno
https://bugzilla.novell.com/show_bug.cgi?id=847989
https://bugzilla.novell.com/show_bug.cgi?id=847989#c3
--- Comment #3 from Reinhard Max
I also checked ~/.pinepw contents for the security concern you brought up. The password is encrypted and therefore secure enough for my tiny installation in the sense that it isn't plain text.
Yes, it is not plain text, but not encrypted either, only obfuscated. Your users could obtain the plain text password by reproducing the (de)obfuscation algorithm that is contained in the alpine sources, or by grabbing it from alpine's memory with a debugger. If that's still good enough for you, that's fine, but I wanted you to be aware of the fact.
I originally started with Postfix local SMTP transport as you suggest and ran into not being able to prevent some very determined spammers from forwarding / reflecting their material through my Postfix installation.
You mean your Postfix setup ended up being an open relay (external spammers were able to send emails to external recipients)? If so, that surprises me, because Postfix was specifically designed to not allow this by default and you would have to go a long way to configure it as an open relay. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com