[Users] Claws uses insecure SMTP compared to Outlook or Thunderbird

marlene.pratt at hushmail.com marlene.pratt at hushmail.com
Sat Dec 14 00:42:56 CET 2013 

insecure = contains known vulnerabilities that have been fixed in newer versions

Using claws-mail on windows 7 x64 (installation package claws-mail-3.9.2git162-pkg46.exe).

Example configuration:

Using gmail server settings:
pop.gmail.com:995
smtp.gmail.com:465

In Account preferences:
POP3 - Use SSL for POP3 connection
SMTP - Use SSL for SMTP connection

When sending messages using SMTP, Claws currently negotiates:
version=SSLv3 cipher=RC4-SHA bits=128/128

SSLv3 was released in 1996, which was almost 18 years ago. There is no excuse for not negotiating TLSv1.2, which was released in 2008 (almost 6 years ago). This would fix a lot of the problems related to TLS. Naturally, both Outlook & Thunderbird have supported it for many years.

Declaring only support for SSLv3 and not TLSv1.0 (or TLSv1.1, TLSv1.2) prevents the server from negotiating AES (because it is not allowed in SSLv3), ECDHE & DHE (because they are part of the specification of TLSv1.0), and many other security related functions.

This problems can be currently overriden using gnutls_priority to demonstrate that everything still works correctly. By using the SECURE override on gnutls_priority, claws immediately speaks TLSv1.2 with gmail servers.

If you have any questions or need help with properly setting claws up, please do not hesitate to contact me.

NOTES:
1) Gmail is used by a massive number of email users, hence improving security with gmail should be a priority. Gmail supports TLSv1.2. It does not matter that other email providers might not support TLSv1.2 (most of them do) because there are fallback mechanisms that still allow the connection to work.
2) It is not sufficient to tell users to just configure the gnutls_priority themselves to get better security. Majority of users never change any defaults. People should be secure by default, without having to change any options.
3) GnuTLS already supports everything, there really is no coding that you need to do to improve this security.

More information about the Users mailing list