Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/smtp: PlainAuth forces SSL encrypted connection #5184

Closed
gopherbot opened this issue Apr 2, 2013 · 5 comments
Closed

net/smtp: PlainAuth forces SSL encrypted connection #5184

gopherbot opened this issue Apr 2, 2013 · 5 comments
Labels
FrozenDueToAge

Comments

@gopherbot
Copy link

by snoreven45:

net/smtp forces an SSL encrypted connection when using PlainAuth (error
"unencrypted connection"). 

It's not task of a SMTP library to decide what's good for the developer/user, it should
just let him use the protocol however he wants.
@bradfitz
Copy link
Contributor

bradfitz commented Apr 2, 2013

Comment 1:

The argument from Maxim Khitrov on the mailing list was:
--------
RFC 4954 requires the client and server to only use PLAIN
authentication after establishing TLS. At the same time, it says
"Server sites SHOULD NOT use any configuration which permits a
plaintext password mechanism without such a protection mechanism
against password snooping."
I think the proper way to handle this in the client is to check
whether the PLAIN authentication mechanism was advertised. In other
words, replace the simple "!server.TLS" check at
src/pkg/net/smtp/auth.go:56 (go 1.0.3) with something that looks
through server.Auth entries. This way, the server decides what is
allowed. I do the same thing in my IMAP library, permitting the LOGIN
command only when LOGINDISABLED capability is not advertised.
-------

@edsrzf
Copy link

edsrzf commented Apr 2, 2013

Comment 2:

It may be worth noting that the original CL for net/smtp allowed PlainAuth any time, but
rsc requested that it check for TLS.

@bradfitz
Copy link
Contributor

bradfitz commented Apr 2, 2013

Comment 3:

Also from golang-nuts:
"Indeed. I have some planned deployments based on Brad's go-smtpd that'll only listen on
the lo device. If those packets get snooped, I would have already had much bigger
problems than stolen passwords."

Status changed to Accepted.

@bradfitz
Copy link
Contributor

bradfitz commented Apr 2, 2013

Comment 4:

Mailed https://golang.org/cl/8279043

@bradfitz
Copy link
Contributor

bradfitz commented Apr 3, 2013

Comment 5:

This issue was closed by revision ca24f9e.

Status changed to Fixed.

@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bradfitz @edsrzf @gopherbot