new file mode 100644
--- /dev/null
+++ b/mail/base/test/unit/test_migrateTryStartTLS.js
@@ -0,0 +1,130 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/**
+ * Test migrating away from insecure trySTARTTLS.
+ */
+
+var { MailMigrator } = ChromeUtils.importESModule(
+ "resource:///modules/MailMigrator.sys.mjs"
+);
+var { localAccountUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/mailnews/LocalAccountUtils.sys.mjs"
+);
+var gAccountList = [
+ {
+ type: "pop3",
+ port: 1234,
+ user: "pop3user",
+ password: "pop3password",
+ hostname: "pop3.mail.yahoo.com",
+ socketType: Ci.nsMsgSocketType.plain,
+ authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
+ smtpServers: [
+ {
+ port: 3456,
+ user: "imapout",
+ password: "imapoutpassword",
+ isDefault: true,
+ hostname: "smtp.mail.yahoo.com",
+ socketType: Ci.nsMsgSocketType.alwaysSTARTTLS,
+ expectedSocketTypeAFter: Ci.nsMsgSocketType.alwaysSTARTTLS,
+ authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
+ },
+ ],
+ },
+ {
+ type: "imap",
+ port: 2345,
+ user: "imapuser",
+ password: "imappassword",
+ hostname: "imap.mail.yahoo.com",
+ socketType: 1, // former trySTARTTLS,
+ expectedSocketTypeAFter: Ci.nsMsgSocketType.alwaysSTARTTLS,
+ authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
+ smtpServers: [
+ {
+ port: 3456,
+ user: "imapout",
+ password: "imapoutpassword",
+ isDefault: false,
+ hostname: "smtp.gmail.com",
+ socketType: 1, // former trySTARTTLS,
+ expectedSocketTypeAFter: Ci.nsMsgSocketType.alwaysSTARTTLS,
+ authMethod: Ci.nsMsgAuthMethod.passwordEncrypted,
+ },
+ ],
+ },
+];
+
+// An array of the incoming servers during setup.
+var gIncomingServers = [];
+
+// An array of the outgoing servers created during setup.
+var gOutgoingServers = [];
+
+add_setup(async () => {
+ for (const details of gAccountList) {
+ const server = localAccountUtils.create_incoming_server(
+ details.type,
+ details.port,
+ details.user,
+ details.password,
+ details.hostname
+ );
+ server.socketType = details.socketType;
+ server.authMethod = details.authMethod;
+
+ // Add the newly created server to the array for testing.
+ gIncomingServers.push(server);
+
+ const account = MailServices.accounts.findAccountForServer(server);
+ for (const smtpDetails of details.smtpServers) {
+ const outgoing = localAccountUtils.create_outgoing_server(
+ "smtp",
+ smtpDetails.user,
+ smtpDetails.password,
+ { port: smtpDetails.port, hostname: smtpDetails.hostname }
+ );
+ outgoing.socketType = smtpDetails.socketType;
+ outgoing.authMethod = smtpDetails.authMethod;
+ localAccountUtils.associate_servers(
+ account,
+ outgoing,
+ smtpDetails.isDefault
+ );
+
+ // Add the newly created server to the array for testing.
+ gOutgoingServers.push(outgoing);
+ }
+ }
+});
+
+add_task(async function test_migrateTryStartTLS() {
+ Services.prefs.setIntPref("mail.ui-rdf.version", 43);
+
+ const inTypesBefore = gIncomingServers.map(s => s.socketType);
+ const outTypesBefore = gOutgoingServers.map(s => s.socketType);
+ MailMigrator._migrateUI();
+
+ let i = 0;
+ for (const server of gIncomingServers) {
+ if (inTypesBefore[i] == 1) {
+ Assert.equal(server.socketType, Ci.nsMsgSocketType.alwaysSTARTTLS);
+ } else {
+ Assert.equal(server.socketType, inTypesBefore[i]);
+ }
+ i++;
+ }
+
+ i = 0;
+ for (const server of gOutgoingServers) {
+ if (outTypesBefore[i] == 1) {
+ Assert.equal(server.socketType, Ci.nsMsgSocketType.alwaysSTARTTLS);
+ } else {
+ Assert.equal(server.socketType, outTypesBefore[i]);
+ }
+ i++;
+ }
+});
--- a/mail/base/test/unit/xpcshell.ini
+++ b/mail/base/test/unit/xpcshell.ini
@@ -7,16 +7,17 @@ support-files = distribution.ini resourc
[test_alertHook.js]
[test_attachmentChecker.js]
[test_columns.js]
[test_bug1086527.js]
[test_devtools_url.js]
[test_emptyTrash_dbViewWrapper.js]
run-sequentially = Avoid bustage.
[test_linkHelper.js]
+[test_migrateTryStartTLS.js]
[test_pluralForm.js]
[test_pluralForm_english.js]
[test_pluralForm_makeGetter.js]
[test_viewWrapper_imapFolder.js]
run-sequentially = Avoid bustage.
[test_viewWrapper_logic.js]
[test_viewWrapper_realFolder.js]
skip-if = os == "mac" && !debug
--- a/mail/components/test/unit/test_about_support.js
+++ b/mail/components/test/unit/test_about_support.js
@@ -23,17 +23,17 @@ var gAccountList = [
authMethod: Ci.nsMsgAuthMethod.old,
smtpServers: [],
},
{
type: "imap",
port: 2345,
user: "imapuser",
password: "imappassword",
- socketType: Ci.nsMsgSocketType.trySTARTTLS,
+ socketType: Ci.nsMsgSocketType.alwaysSTARTTLS,
authMethod: Ci.nsMsgAuthMethod.passwordCleartext,
smtpServers: [
{
port: 3456,
user: "imapout",
password: "imapoutpassword",
isDefault: true,
socketType: Ci.nsMsgSocketType.alwaysSTARTTLS,
--- a/mail/locales/en-US/chrome/messenger/am-server-top.dtd
+++ b/mail/locales/en-US/chrome/messenger/am-server-top.dtd
@@ -21,17 +21,16 @@
<!ENTITY biffStart.label "Check for new messages every ">
<!ENTITY biffStart.accesskey "y">
<!ENTITY biffEnd.label "minutes">
<!ENTITY useIdleNotifications.label "Allow immediate server notifications when new messages arrive">
<!ENTITY useIdleNotifications.accesskey "w">
<!ENTITY connectionSecurity.label "Connection security:">
<!ENTITY connectionSecurity.accesskey "u">
<!ENTITY connectionSecurityType-0.label "None">
-<!ENTITY connectionSecurityType-1.label "STARTTLS, if available">
<!ENTITY connectionSecurityType-2.label "STARTTLS">
<!ENTITY connectionSecurityType-3.label "SSL/TLS">
<!ENTITY authMethod.label "Authentication method:">
<!ENTITY authMethod.accesskey "i">
<!ENTITY leaveOnServer.label "Leave messages on server">
<!ENTITY leaveOnServer.accesskey "g">
<!ENTITY headersOnly.label "Fetch headers only">
<!ENTITY headersOnly.accesskey "e">
--- a/mail/locales/en-US/chrome/messenger/smtpEditOverlay.dtd
+++ b/mail/locales/en-US/chrome/messenger/smtpEditOverlay.dtd
@@ -10,15 +10,14 @@
<!ENTITY serverDescription.accesskey "D">
<!ENTITY serverPort.label "Port:">
<!ENTITY serverPort.accesskey "P">
<!ENTITY userName.label "User Name:">
<!ENTITY userName.accesskey "m">
<!ENTITY connectionSecurity.label "Connection security:">
<!ENTITY connectionSecurity.accesskey "n">
<!ENTITY connectionSecurityType-0.label "None">
-<!ENTITY connectionSecurityType-1.label "STARTTLS, if available">
<!ENTITY connectionSecurityType-2.label "STARTTLS">
<!ENTITY connectionSecurityType-3.label "SSL/TLS">
<!ENTITY smtpEditTitle.label "SMTP Server">
<!ENTITY serverPortDefault.label "Default:">
<!ENTITY authMethod.label "Authentication method:">
<!ENTITY authMethod.accesskey "i">
--- a/mail/modules/MailMigrator.sys.mjs
+++ b/mail/modules/MailMigrator.sys.mjs
@@ -22,17 +22,17 @@ ChromeUtils.defineESModuleGetters(lazy,
export var MailMigrator = {
/**
* Determine if the UI has been upgraded in a way that requires us to reset
* some user configuration. If so, performs the resets.
*/
_migrateUI() {
// The code for this was ported from
// mozilla/browser/components/nsBrowserGlue.js
- const UI_VERSION = 43;
+ const UI_VERSION = 44;
const UI_VERSION_PREF = "mail.ui-rdf.version";
let currentUIVersion = Services.prefs.getIntPref(UI_VERSION_PREF, 0);
if (currentUIVersion >= UI_VERSION) {
return;
}
const newProfile = currentUIVersion == 0;
@@ -149,16 +149,31 @@ export var MailMigrator = {
.split(",")
.filter(Boolean);
serverKeys.forEach(key => {
Services.prefs.setCharPref(`mail.smtpserver.${key}.type`, "smtp");
});
}
+ if (currentUIVersion < 44) {
+ // Upgrade all (former) tryStartTLS (==1) uses to alwaysStartTLS.
+ for (const account of MailServices.accounts.accounts) {
+ const server = account.incomingServer;
+ if (server.socketType == 1) {
+ server.socketType = Ci.nsMsgSocketType.alwaysSTARTTLS;
+ }
+ }
+ for (const server of MailServices.outgoingServer.servers) {
+ if (server.socketType == 1) {
+ server.socketType = Ci.nsMsgSocketType.alwaysSTARTTLS;
+ }
+ }
+ }
+
// Migration tasks that may take a long time are not run immediately, but
// added to the MigrationTasks object then run at the end.
//
// See the documentation on MigrationTask and MigrationTasks for how to
// add a task.
MigrationTasks.runTasks();
// Update the migration version.
--- a/mail/services/sync/docs/record-spec.md
+++ b/mail/services/sync/docs/record-spec.md
@@ -5,17 +5,16 @@ Renamed from Accounts in version 1. Same
- `deleted`: `true` if this account has been removed
- `name`: string, user-visible way to identify this account
- `type`: "imap", "pop3", "smtp" [immutable]
- `location`: string, the server's hostname and port separated by a colon (in future this may be a
URL instead, where appropriate)
- `socketType` (one of): (from nsMsgSocketType)
- "plain"
- - "tryStartTLS"
- "alwaysStartTLS"
- "tls"
- `authMethod` (one of): (see nsMsgAuthMethod)
- "passwordCleartext"
- "passwordEncrypted"
- "gssapi" (Kerberos)
- "ntlm"
- "tlsCertificate" (AKA “external”)
--- a/mail/services/sync/modules/engines/servers.sys.mjs
+++ b/mail/services/sync/modules/engines/servers.sys.mjs
@@ -7,17 +7,16 @@ import { CryptoWrapper } from "resource:
import { MailServices } from "resource:///modules/MailServices.sys.mjs";
import { SCORE_INCREMENT_XLARGE } from "resource://services-sync/constants.sys.mjs";
import { SyncEngine, Tracker } from "resource://services-sync/engines.sys.mjs";
import { Utils } from "resource://services-sync/util.sys.mjs";
// Mappings between Ci.nsMsgSocketType types and Sync types.
const SOCKET_TYPES = [
[Ci.nsMsgSocketType.plain, "plain"],
- [Ci.nsMsgSocketType.trySTARTTLS, "tryStartTLS"],
[Ci.nsMsgSocketType.alwaysSTARTTLS, "alwaysStartTLS"],
[Ci.nsMsgSocketType.SSL, "tls"],
];
function socketTypeForRecord(number) {
return SOCKET_TYPES.find(st => st[0] == number)[1];
}
function socketTypeForServer(string) {
return SOCKET_TYPES.find(st => st[1] == string)[0];
--- a/mailnews/base/prefs/content/SmtpServerEdit.js
+++ b/mailnews/base/prefs/content/SmtpServerEdit.js
@@ -119,21 +119,16 @@ function initSmtpSettings(server) {
const details = server
? OAuth2Providers.getHostnameDetails(server.serverURI.host)
: null;
document.getElementById("authMethod-oauth2").hidden = !details;
// Hide deprecated/hidden auth options, unless selected
hideUnlessSelected(document.getElementById("authMethod-anysecure"));
hideUnlessSelected(document.getElementById("authMethod-any"));
-
- // "STARTTLS, if available" is vulnerable to MITM attacks so we shouldn't
- // allow users to choose it anymore. Hide the option unless the user already
- // has it set.
- hideUnlessSelected(document.getElementById("connectionSecurityType-1"));
}
function hideUnlessSelected(element) {
element.hidden = !element.selected;
}
function setLabelFromStringBundle(elementID, stringName) {
document.getElementById(elementID).label = document
--- a/mailnews/base/prefs/content/SmtpServerEdit.xhtml
+++ b/mailnews/base/prefs/content/SmtpServerEdit.xhtml
@@ -148,23 +148,16 @@
prefstring="mail.smtpserver.%serverkey%.try_ssl"
>
<menupopup id="smtp.socketTypePopup">
<menuitem
value="0"
label="&connectionSecurityType-0.label;"
/>
<menuitem
- id="connectionSecurityType-1"
- value="1"
- label="&connectionSecurityType-1.label;"
- disabled="true"
- hidden="true"
- />
- <menuitem
value="2"
label="&connectionSecurityType-2.label;"
/>
<menuitem
value="3"
label="&connectionSecurityType-3.label;"
/>
</menupopup>
--- a/mailnews/base/prefs/content/am-server.js
+++ b/mailnews/base/prefs/content/am-server.js
@@ -96,21 +96,16 @@ function onInit(aPageId, aServerId) {
}
// OAuth2 are only supported on IMAP and POP.
document.getElementById("authMethod-oauth2").hidden =
serverType != "imap" && serverType != "pop3";
// TLS Cert (External) only supported on IMAP.
document.getElementById("authMethod-external").hidden = serverType != "imap";
- // "STARTTLS, if available" is vulnerable to MITM attacks so we shouldn't
- // allow users to choose it anymore. Hide the option unless the user already
- // has it set.
- hideUnlessSelected(document.getElementById("connectionSecurityType-1"));
-
// UI for account store type.
const storeTypeElement = document.getElementById("server.storeTypeMenulist");
// set the menuitem to match the account
const currentStoreID = document
.getElementById("server.storeContractID")
.getAttribute("value");
const targetItem = storeTypeElement.getElementsByAttribute(
"value",
--- a/mailnews/base/prefs/content/am-server.xhtml
+++ b/mailnews/base/prefs/content/am-server.xhtml
@@ -31,17 +31,17 @@
<script defer="defer" src="chrome://messenger/content/am-prefs.js"></script>
<script defer="defer" src="chrome://messenger/content/amUtils.js"></script>
<script
defer="defer"
src="chrome://messenger/content/menulist-charsetpicker.js"
></script>
<script>
// FIXME: move to script file.
- window.addEventListener("load", event => {
+ window.addEventListener("load", () => {
parent.onPanelLoaded("am-server.xhtml");
});
</script>
</head>
<html:body
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
>
<vbox id="containerBox" flex="1">
@@ -148,38 +148,32 @@
<html:fieldset>
<html:legend>&securitySettings.label;</html:legend>
<html:table>
<html:tr>
<html:td>
<label
value="&connectionSecurity.label;"
accesskey="&connectionSecurity.accesskey;"
- control="server.socketType"
+ control="server."
/>
</html:td>
<html:td>
<menulist
wsm_persist="true"
id="server.socketType"
oncommand="secureSelect();"
style="width: 100%"
>
<menupopup id="server.socketTypePopup">
<menuitem
value="0"
label="&connectionSecurityType-0.label;"
/>
<menuitem
- id="connectionSecurityType-1"
- value="1"
- label="&connectionSecurityType-1.label;"
- disabled="true"
- />
- <menuitem
value="2"
label="&connectionSecurityType-2.label;"
hidefor="nntp"
/>
<menuitem
value="3"
label="&connectionSecurityType-3.label;"
/>
--- a/mailnews/base/public/MailNewsTypes2.idl
+++ b/mailnews/base/public/MailNewsTypes2.idl
@@ -35,24 +35,19 @@ interface nsMsgPriority : nsISupports {
* Defines whether to use SSL or STARTTLS or not.
* Used by @see nsIMsgIncomingServer.socketType
* and @see nsIMsgOutgoingServer.socketType
*/
[scriptable, uuid(bc78bc74-1b34-48e8-ac2b-968e8dff1aeb)]
interface nsMsgSocketType : nsISupports {
/// No SSL or STARTTLS
const nsMsgSocketTypeValue plain = 0;
- /// Use TLS via STARTTLS, but only if server offers it.
- /// @deprecated This is vulnerable to MITM attacks
- const nsMsgSocketTypeValue trySTARTTLS = 1;
- /// Insist on TLS via STARTTLS.
- /// Uses normal port.
+ /// Insist on TLS via STARTTLS. Uses normal port.
const nsMsgSocketTypeValue alwaysSTARTTLS = 2;
- /// Connect via SSL.
- /// Needs special SSL port.
+ /// Connect via SSL. Needs special SSL port.
const nsMsgSocketTypeValue SSL = 3;
};
/**
* Defines which authentication schemes we should try.
* Used by @see nsIMsgIncomingServer.authMethod
* and @see nsIMsgOutgoingServer.authMethod
*/
--- a/mailnews/compose/src/SmtpClient.sys.mjs
+++ b/mailnews/compose/src/SmtpClient.sys.mjs
@@ -61,19 +61,17 @@ export class SmtpClient {
* defines the properties but does not actually connect.
*
* @class
*
* @param {SmtpServer} server - The associated SmtpServer instance.
*/
constructor(server) {
this.options = {
- alwaysSTARTTLS:
- server.socketType == Ci.nsMsgSocketType.trySTARTTLS ||
- server.socketType == Ci.nsMsgSocketType.alwaysSTARTTLS,
+ alwaysSTARTTLS: server.socketType == Ci.nsMsgSocketType.alwaysSTARTTLS,
requireTLS: server.socketType == Ci.nsMsgSocketType.SSL,
};
this.socket = false; // Downstream TCP socket to the SMTP server, created with TCPSocket
this.waitDrain = false; // Keeps track if the downstream socket is currently full and a drain event should be waited for or not
// Private properties
--- a/mailnews/compose/src/SmtpServer.sys.mjs
+++ b/mailnews/compose/src/SmtpServer.sys.mjs
@@ -189,25 +189,28 @@ export class SmtpServer {
}
}
set clientidEnabled(value) {
this._prefs.setBoolPref("clientidEnabled", value);
}
get authMethod() {
- return this._getIntPrefWithDefault("authMethod", 3);
+ return this._getIntPrefWithDefault(
+ "authMethod",
+ Ci.nsMsgAuthMethod.passwordCleartext
+ );
}
set authMethod(value) {
this._prefs.setIntPref("authMethod", value);
}
get socketType() {
- return this._getIntPrefWithDefault("try_ssl", 0);
+ return this._getIntPrefWithDefault("try_ssl", Ci.nsMsgSocketType.plain);
}
set socketType(value) {
this._prefs.setIntPref("try_ssl", value);
}
/**
* May contain an alternative argument to EHLO or HELO to provide to the
--- a/mailnews/imap/public/nsIImapServerSink.idl
+++ b/mailnews/imap/public/nsIImapServerSink.idl
@@ -151,23 +151,16 @@ interface nsIImapServerSink : nsISupport
*
* @param aPassword returns the stored password or empty string if not stored.
*/
void syncGetPassword(out AString aPassword);
attribute boolean userAuthenticated;
void setMailServerUrls(in AUTF8String manageMailAccount, in AUTF8String manageLists, in AUTF8String manageFilters);
- /** Used by the imap thread when upgrading from the socketType
- * trySTARTTLS.
- * @param aSucceeded whether STARTTLS succeeded. If it did, the server
- * will set the socket type to alwaysSTARTTLS, otherwise plain.
- */
- void UpdateTrySTARTTLSPref(in boolean aSucceeded);
-
readonly attribute AUTF8String arbitraryHeaders;
void forgetPassword();
readonly attribute boolean showAttachmentsInline;
string cramMD5Hash(in string decodedChallenge, in string key);
/// String to send to the imap server as the login user name.
readonly attribute ACString loginUsername;
/// String to send to the imap server as the user name.
--- a/mailnews/imap/src/ImapClient.sys.mjs
+++ b/mailnews/imap/src/ImapClient.sys.mjs
@@ -1030,20 +1030,17 @@ export class ImapClient {
}
};
/**
* Decide the first auth method to try.
*/
_actionChooseFirstAuthMethod = () => {
if (
- [
- Ci.nsMsgSocketType.trySTARTTLS,
- Ci.nsMsgSocketType.alwaysSTARTTLS,
- ].includes(this._server.socketType) &&
+ [Ci.nsMsgSocketType.alwaysSTARTTLS].includes(this._server.socketType) &&
!this._secureTransport
) {
if (this._capabilities.includes("STARTTLS")) {
// Init STARTTLS negotiation if required by user pref and supported.
this._nextAction = this._actionStarttlsResponse;
this._sendTagged("STARTTLS");
} else {
// Abort if not supported.
--- a/mailnews/imap/src/nsImapIncomingServer.cpp
+++ b/mailnews/imap/src/nsImapIncomingServer.cpp
@@ -390,23 +390,16 @@ NS_IMPL_SERVERPREF_STR(nsImapIncomingSer
NS_IMPL_SERVERPREF_STR(nsImapIncomingServer, OtherUsersNamespace,
"namespace.other_users")
NS_IMPL_SERVERPREF_BOOL(nsImapIncomingServer, FetchByChunks, "fetch_by_chunks")
NS_IMPL_SERVERPREF_BOOL(nsImapIncomingServer, SendID, "send_client_info")
NS_IMETHODIMP
-nsImapIncomingServer::UpdateTrySTARTTLSPref(bool aStartTLSSucceeded) {
- SetSocketType(aStartTLSSucceeded ? nsMsgSocketType::alwaysSTARTTLS
- : nsMsgSocketType::plain);
- return NS_OK;
-}
-
-NS_IMETHODIMP
nsImapIncomingServer::GetImapConnectionAndLoadUrl(nsIImapUrl* aImapUrl,
nsISupports* aConsumer) {
nsCOMPtr<nsIImapProtocol> aProtocol;
nsresult rv = GetImapConnection(aImapUrl, getter_AddRefs(aProtocol));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIMsgMailNewsUrl> mailnewsurl = do_QueryInterface(aImapUrl, &rv);
--- a/mailnews/imap/src/nsImapProtocol.cpp
+++ b/mailnews/imap/src/nsImapProtocol.cpp
@@ -503,17 +503,17 @@ nsImapProtocol::nsImapProtocol()
m_retryUrlOnError = false;
m_useIdle = true; // by default, use it
m_useCondStore = true;
m_useCompressDeflate = true;
m_ignoreExpunges = false;
m_prefAuthMethods = kCapabilityUndefined;
m_failedAuthMethods = 0;
m_currentAuthMethod = kCapabilityUndefined;
- m_socketType = nsMsgSocketType::trySTARTTLS;
+ m_socketType = nsMsgSocketType::alwaysSTARTTLS;
m_connectionStatus = NS_OK;
m_safeToCloseConnection = false;
m_hostSessionList = nullptr;
m_isGmailServer = false;
m_fetchingWholeMessage = false;
m_allowUTF8Accept = false;
nsCOMPtr<nsIPrefBranch> prefBranch(do_GetService(NS_PREFSERVICE_CONTRACTID));
@@ -989,40 +989,30 @@ nsresult nsImapProtocol::SetupWithUrlCal
Log("SetupWithUrlCallback", nullptr, "clearing IMAP_CONNECTION_IS_OPEN");
ClearFlag(IMAP_CONNECTION_IS_OPEN);
const char* connectionType = nullptr;
if (m_socketType == nsMsgSocketType::SSL)
connectionType = "ssl";
else if (m_socketType == nsMsgSocketType::alwaysSTARTTLS)
connectionType = "starttls";
- // This can go away once we think everyone is migrated
- // away from the trySTARTTLS socket type.
- else if (m_socketType == nsMsgSocketType::trySTARTTLS)
- connectionType = "starttls";
int32_t port = -1;
nsCOMPtr<nsIURI> uri = do_QueryInterface(m_runningUrl, &rv);
if (NS_FAILED(rv)) return rv;
uri->GetPort(&port);
AutoTArray<nsCString, 1> connectionTypeArray;
if (connectionType) connectionTypeArray.AppendElement(connectionType);
// NOTE: Some errors won't show up until the first read attempt (SSL bad
// certificate errors, for example).
rv = socketService->CreateTransport(connectionTypeArray, m_hostName, port,
aProxyInfo, nullptr,
getter_AddRefs(m_transport));
- if (NS_FAILED(rv) && m_socketType == nsMsgSocketType::trySTARTTLS) {
- connectionType = nullptr;
- m_socketType = nsMsgSocketType::plain;
- rv = socketService->CreateTransport(connectionTypeArray, m_hostName, port,
- aProxyInfo, nullptr,
- getter_AddRefs(m_transport));
- }
+ NS_ENSURE_SUCCESS(rv, rv);
// remember so we can know whether we can issue a start tls or not...
m_connectionType = connectionType;
if (m_transport && m_mockChannel) {
uint8_t qos;
rv = GetQoSBits(&qos);
if (NS_SUCCEEDED(rv)) m_transport->SetQoSBits(qos);
@@ -1679,18 +1669,17 @@ void nsImapProtocol::EstablishServerConn
fakeServerResponse);
}
}
} else if (!PL_strncasecmp(serverResponse, ESC_PREAUTH, ESC_PREAUTH_LEN)) {
// PREAUTH greeting received. We've been pre-authenticated by the server.
// We can skip sending a password and transition right into the
// kAuthenticated state; but we won't if the user has configured STARTTLS.
// (STARTTLS can only occur with the server in non-authenticated state.)
- if (!(m_socketType == nsMsgSocketType::alwaysSTARTTLS ||
- m_socketType == nsMsgSocketType::trySTARTTLS)) {
+ if (m_socketType != nsMsgSocketType::alwaysSTARTTLS) {
GetServerStateParser().PreauthSetAuthenticatedState();
if (GetServerStateParser().GetCapabilityFlag() == kCapabilityUndefined)
Capability();
if (!(GetServerStateParser().GetCapabilityFlag() &
(kIMAP4Capability | kIMAP4rev1Capability | kIMAP4other))) {
// AlertUserEventUsingId(MK_MSG_IMAP_SERVER_NOT_IMAP4);
@@ -1867,21 +1856,17 @@ bool nsImapProtocol::ProcessCurrentURL()
!(GetServerStateParser().GetCapabilityFlag() &
(kIMAP4Capability | kIMAP4rev1Capability | kIMAP4other)))) {
if (!DeathSignalReceived() && NS_SUCCEEDED(GetConnectionStatus()) &&
GetServerStateParser().GetCapabilityFlag())
AlertUserEventUsingName("imapServerNotImap4");
SetConnectionStatus(NS_ERROR_FAILURE); // stop netlib
} else {
- if ((m_connectionType.EqualsLiteral("starttls") &&
- (m_socketType == nsMsgSocketType::trySTARTTLS &&
- (GetServerStateParser().GetCapabilityFlag() &
- kHasStartTLSCapability))) ||
- m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
+ if (m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
StartTLS(); // Send imap STARTTLS command
if (GetServerStateParser().LastCommandSuccessful()) {
NS_ENSURE_TRUE(m_transport, false);
MOZ_ASSERT(!NS_IsMainThread());
rv = TransportStartTLS(); // Initiate STARTTLS handshakes
if (NS_SUCCEEDED(rv)) {
// Transition to secure state is now enabled but handshakes and
// negotiation has not yet occurred. Make sure that
@@ -1913,24 +1898,16 @@ bool nsImapProtocol::ProcessCurrentURL()
m_inputStreamBuffer->ClearBuffer();
// Force re-issue of "capability", because servers may
// enable other auth features (e.g. remove LOGINDISABLED
// and add AUTH=PLAIN). Sending imap data here first triggers
// the TLS negotiation handshakes.
Capability();
- // If user has set pref mail.server.serverX.socketType to 1
- // (trySTARTTLS, now deprecated in UI) and Capability()
- // succeeds, indicating TLS handshakes succeeded, set and
- // latch the socketType to 2 (alwaysSTARTTLS) for this server.
- if ((m_socketType == nsMsgSocketType::trySTARTTLS) &&
- GetServerStateParser().LastCommandSuccessful())
- m_imapServerSink->UpdateTrySTARTTLSPref(true);
-
// Courier imap doesn't return STARTTLS capability if we've done
// a STARTTLS! But we need to remember this capability so we'll
// try to use STARTTLS next time.
// Update: This may not be a problem since "next time" will be
// on a new connection that is not yet in secure state. So the
// capability greeting *will* contain STARTTLS. I observed and
// tested this on Courier imap server. But keep this to be sure.
eIMAPCapabilityFlags capabilityFlag =
@@ -1943,40 +1920,22 @@ bool nsImapProtocol::ProcessCurrentURL()
}
if (NS_FAILED(rv)) {
nsAutoCString logLine("Enable of STARTTLS failed. Error 0x");
logLine.AppendInt(static_cast<uint32_t>(rv), 16);
Log("ProcessCurrentURL", nullptr, logLine.get());
if (m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
SetConnectionStatus(rv); // stop netlib
if (m_transport) m_transport->Close(rv);
- } else if (m_socketType == nsMsgSocketType::trySTARTTLS)
- m_imapServerSink->UpdateTrySTARTTLSPref(false);
+ }
}
} else if (m_socketType == nsMsgSocketType::alwaysSTARTTLS) {
SetConnectionStatus(NS_ERROR_FAILURE); // stop netlib
if (m_transport) m_transport->Close(rv);
- } else if (m_socketType == nsMsgSocketType::trySTARTTLS) {
- // STARTTLS failed, so downgrade socket type
- m_imapServerSink->UpdateTrySTARTTLSPref(false);
}
- } else if (m_socketType == nsMsgSocketType::trySTARTTLS) {
- // we didn't know the server supported TLS when we created
- // the socket, so we're going to retry with a STARTTLS socket
- if (GetServerStateParser().GetCapabilityFlag() &
- kHasStartTLSCapability) {
- ClearFlag(IMAP_CONNECTION_IS_OPEN);
- TellThreadToDie();
- SetConnectionStatus(NS_ERROR_FAILURE);
- return RetryUrl();
- }
- // trySTARTTLS set, but server doesn't have TLS capability,
- // so downgrade socket type
- m_imapServerSink->UpdateTrySTARTTLSPref(false);
- m_socketType = nsMsgSocketType::plain;
}
if (!DeathSignalReceived() && (NS_SUCCEEDED(GetConnectionStatus()))) {
// Run TryToLogon() under the protection of the server's logon monitor.
// This prevents a dogpile of multiple connections all attempting to
// log on at the same time using an obsolete password, potentially
// triggering the provider to block the account (Bug 1862111).
// We run this on the current thread, not proxied to the main thread!
logonFailed = true;
--- a/mailnews/imap/src/nsSyncRunnableHelpers.cpp
+++ b/mailnews/imap/src/nsSyncRunnableHelpers.cpp
@@ -442,17 +442,16 @@ NS_SYNCRUNNABLEATTRIBUTE(ImapServerSink,
NS_SYNCRUNNABLEMETHOD3(ImapServerSink, SetMailServerUrls, const nsACString&,
const nsACString&, const nsACString&)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetArbitraryHeaders, nsACString&)
NS_SYNCRUNNABLEMETHOD0(ImapServerSink, ForgetPassword)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetShowAttachmentsInline, bool*)
NS_SYNCRUNNABLEMETHOD3(ImapServerSink, CramMD5Hash, const char*, const char*,
char**)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetLoginUsername, nsACString&)
-NS_SYNCRUNNABLEMETHOD1(ImapServerSink, UpdateTrySTARTTLSPref, bool)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetOriginalUsername, nsACString&)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetServerKey, nsACString&)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetServerPassword, nsAString&)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, RemoveServerConnection, nsIImapProtocol*)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, GetServerShuttingDown, bool*)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, ResetServerConnection, const nsACString&)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, SetServerDoingLsub, bool)
NS_SYNCRUNNABLEMETHOD1(ImapServerSink, SetServerUtf8AcceptEnabled, bool)
--- a/mailnews/local/src/Pop3Client.sys.mjs
+++ b/mailnews/local/src/Pop3Client.sys.mjs
@@ -642,20 +642,17 @@ export class Pop3Client {
);
};
/**
* Decide the first auth method to try.
*/
_actionChooseFirstAuthMethod = async () => {
if (
- [
- Ci.nsMsgSocketType.trySTARTTLS,
- Ci.nsMsgSocketType.alwaysSTARTTLS,
- ].includes(this._server.socketType) &&
+ [Ci.nsMsgSocketType.alwaysSTARTTLS].includes(this._server.socketType) &&
!this._secureTransport
) {
if (this._capabilities.includes("STLS")) {
// Init STARTTLS negotiation if required by user pref and supported.
this._nextAction = this._actionStlsResponse;
// STLS is the POP3 command to init STARTTLS.
await this._send("STLS");
} else {