4664 – OAUTH2 overwrites passwords even for plaintext logins

Bug 4664 - OAUTH2 overwrites passwords even for plaintext logins

Summary: OAUTH2 overwrites passwords even for plaintext logins

Status:	RESOLVED FIXED

Alias:	None

Product:	Claws Mail
Classification:	Unclassified
Component:	OAuth2 (show other bugs)
Version:	4.2.0
Hardware:	PC Linux

Importance:	P3 normal
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2023-02-20 21:39 UTC by Roland Haas
Modified:	2023-02-21 17:49 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
possible fix for IMAP receive (1.03 KB, patch) 2023-02-20 21:39 UTC, Roland Haas	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Roland Haas 2023-02-20 21:39:55 UTC

Created attachment 2322 [details]
possible fix for IMAP receive

When selecting OATUH2 for either send (SMTP) or receive (IMAP in my case) ClawsMail will overwrite both send and receive passwords with the OAUTH2 token even if that login uses a non-OAUTH password.

In my case I use my employer's SMTP server (secured via OAUTH2) to send but a local IMAP server to hold incoming mail (plaintext password).

Currently I patch oauth2.c as shown in the attached patch, which fixes the issue for me. However the patch is not eg handling POP3 accounts so is more of a detailed explanation rather than a fix.

Comment 1 Michael Rasmussen 2023-02-20 22:31:40 UTC

I am not so sure about this patch cause it could break reply-to if the receiving MTA validates if the sending server is allowed to act as mail sender for the specific mail domain.

Comment 2 Michael Rasmussen 2023-02-20 22:34:25 UTC

Also, I am not familiar with any MTA which uses OAUTH for receiving and plain password for sending. Would somewhat break the protocol.

Comment 3 Roland Haas 2023-02-20 22:48:58 UTC

Since sending (SMTP) and receiving (IMAP) are different servers, I myself see no reason to assume they use the same authentication mechanism. ClawsMail does not do so either it seems, having separate password and method fields for them.

I am not sure I understand comment:1. The SMTP server used in my case is indeed the one for my email address' email domain (@illinois.edu and the server is Microsoft's smtp.office.com). The IMAP server is my own and receives emails that are forwarded to it.

The setup is like this:
             /- MS Outlook -- forwards to -> private IMAP server \
internet ----                                                    -- claws mail
             \- MS SMTP <- sends email to --------------------- /

So email always is sent to (by outside clients) to the official server and is received from the official server.

The patch is certainly not intended as a final fix, since at the very least it does not handle POP3 accounts. It serves only as an illustration of the code that makes things behave the way I would expect for a situation where the authentication method selected in the UI for receive is Plaintext and that for sending is OAUTH2.

Comment 4 Paul 2023-02-21 17:49:31 UTC

This is now fix in git, based on your patch but also including POP accounts. Many thanks for the patch!

Note You need to log in before you can comment on or make changes to this bug.