Bug#814014: marked as done (claws-mail: Information leakage when using smtp + starttls)

Sun, 07 Feb 2016 11:28:05 -0800 

Your message dated Sun, 7 Feb 2016 20:26:16 +0100
with message-id <20160207202616.7308eff2@busgosu>
and subject line Re: Bug#814014: claws-mail: Information leakage when using 
smtp + starttls
has caused the Debian Bug report #814014,
regarding claws-mail: Information leakage when using smtp + starttls
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
814014: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814014
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: claws-mail
Version: 3.11.1-3+deb8u1
Severity: important

Dear Maintainer,

claws-mail leaks the client hostname (or if available the FQDN) revealing 
potential confidential information about the network structure and allowing to 
(re-)identify the client on the network/internet.

Steps to reproduce:

Setup an account using starttls to secure the smtp connection.
Send an email while capturing the traffic using wireshark.
Look at the line with the ehlo command from the client to the server.

Actual results:

The client sends an ehlo request to the server to start the tls connection.
this request contains the hostname of the client.

e.g. 
ehlo client123.company.domain

or
ehlo myuniquehostname


Expected results:

According to the smtp protocol definition, the ehlo command sends the "client" 
FQDN to the remote server, assuming however a server to server connection.

Some other Mail Clients use the hostname for the ehlo command, some use even 
the private ip (e.g. outlook) which can even be critical in case the client 
uses a VPN connection.

The ehlo command does not need a specific string to be accepted by the server.
"ehlo random_string" is accepted just als well.
Since there is no need to send any specific information and according to RFC 
2821 sending the hostname is not necessary, the optimal solution would be to 
send a random string. That would also provide the most privacy.


-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages claws-mail depends on:
ii  libarchive13         3.1.2-11
ii  libassuan0           2.1.2-2
ii  libatk1.0-0          2.14.0-1
ii  libc6                2.19-18+deb8u2
ii  libcairo2            1.14.0-2.1
ii  libcompfaceg1        1:1.5.2-5
ii  libdb5.3             5.3.28-9
ii  libdbus-1-3          1.8.20-0+deb8u1
ii  libdbus-glib-1-2     0.102-1
ii  libenchant1c2a       1.6.0-10.1
ii  libetpan17           1.5-2
ii  libfontconfig1       2.11.0-6.3
ii  libfreetype6         2.5.2-3+deb8u1
ii  libgdk-pixbuf2.0-0   2.31.1-2+deb8u4
ii  libglib2.0-0         2.42.1-1
ii  libgnutls-deb0-28    3.3.8-6+deb8u3
ii  libgpg-error0        1.17-3
ii  libgpgme11           1.5.1-6
ii  libgtk2.0-0          2.24.25-3
ii  libice6              2:1.0.9-1+b1
ii  libldap-2.4-2        2.4.40+dfsg-1+deb8u2
ii  liblockfile1         1.09-6
ii  libpango-1.0-0       1.36.8-3
ii  libpangocairo-1.0-0  1.36.8-3
ii  libpangoft2-1.0-0    1.36.8-3
ii  libpisock9           0.12.5-dfsg-1
ii  libsasl2-2           2.1.26.dfsg1-13+deb8u1
ii  libsm6               2:1.2.2-1+b1
ii  xdg-utils            1.1.0~rc1+git20111210-7.4
ii  zlib1g               1:1.2.8.dfsg-2+b1

Versions of packages claws-mail recommends:
ii  aspell-en [aspell-dictionary]  7.1-0-1.1
ii  claws-mail-i18n                3.11.1-3+deb8u1
ii  xfonts-100dpi                  1:1.0.3
ii  xfonts-75dpi                   1:1.0.3

Versions of packages claws-mail suggests:
pn  claws-mail-doc           <none>
pn  claws-mail-tools         <none>
ii  gedit                    3.14.0-3
ii  iceweasel [www-browser]  38.6.0esr-1~deb8u1

-- no debconf information

--- End Message ---
--- Begin Message --- 
Hi Timo,

On Sun, 07 Feb 2016 16:25:14 +0100
Timo <[email protected]> wrote:

> Package: claws-mail
> Version: 3.11.1-3+deb8u1
> Severity: important
> 
> Dear Maintainer,
> 
> claws-mail leaks the client hostname (or if available the FQDN) revealing
> potential confidential information about the network structure and
> allowing to (re-)identify the client on the network/internet.

You're exaggerating a bit. If the hostname is in the DNS the information
"leaked" is already public. If is not, but exposes confidential
information about internal network structure, well, your network admin
is a bit naive, to say the least. Anyway…

[…]
> The ehlo command does not need a specific string to be accepted by the
> server. "ehlo random_string" is accepted just als well.
> Since there is no need to send any specific information and according to
> RFC 2821 sending the hostname is not necessary, the optimal solution would
> be to send a random string. That would also provide the most privacy.

… You can configure whatever you want to send in account preferences:
Go "Advanced" panel, enable "Domain name" checkbox, and put a random
string there.

regards,
-- 
  Ricardo Mones 
  ~
  The world will end in 5 minutes. Please log out.            Unknown

Attachment: pgpZr1ioBpbUy.pgp
Description: OpenPGP digital signature


--- End Message ---

Reply via email to