mail-dmarc icon indicating copy to clipboard operation
mail-dmarc copied to clipboard

Published 20 hours ago verified publisher icon msimerson

TLS is not properly enforced for IMAP connections

Open mpurg opened this issue 11 months ago • 2 comments

In function get_imap_port(), if IO::Socket::SSL is not available TLS will be disabled with only a warning: https://github.com/msimerson/mail-dmarc/blob/ac6d3ad2e50c79a409c0fc642ffc2816c2018827/lib/Mail/DMARC/Report/Receive.pm#L191

Considering that in this case the credentials are sent in plain text, it might be better to change the default behavior to fail. The user could opt-in via a configuration option (e.g. allow_insecure_imap).

In the same function, the verification of server certificates is disabled if Mozilla::CA is not available. This largely defeats the purpose of using TLS, making it succeptible to MITM attacks. Please consider using the defaults provided by IO::Socket::SSL, as recommended here: https://metacpan.org/pod/IO::Socket::SSL#Common-Usage-Errors

mpurg avatar Mar 22 '24 11:03 mpurg

I'm thinking:

  1. make port detection explicit and default to 993. The only way to get a port 143 connection is to ask for it.
  2. add a SSL_verify_mode setting in the config, for users that need it.

msimerson avatar Mar 25 '24 18:03 msimerson

Sounds good, thanks for the prompt response!

mpurg avatar Mar 26 '24 09:03 mpurg