Feature #9303

Consider proposing POP instead of IMAP by default

Added by sajolida 2015-04-30 07:40:25 . Updated 2016-06-26 08:14:00 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
2015-04-30
Due date:
% Done:

100%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Email Client
Deliverable for:
268

Description

In the light of Bug #8999, IMAP will most likely keep on having security issues for people doing encrypted emails without them noticing. So I’m wondering why we propose POP by default and not IMAP (as in Claws by default).

  • If we are afraid of people losing emails while doing configuration attempts, then we could configure POP to not remove email from the server by default.
  • Furthermore, doing POP over Tor must be way more comfortable than doing IMAP.
  • This will likely have some beneficial side effect as more people might configure their POP through the configuration assistant and avoid the persistence issue of Feature #6263.

Subtasks


Related issues

Related to Tails - Feature #9159: Test that the persistence bug of Claws is documented correctly Resolved 2015-04-06

History

#1 Updated by sajolida 2015-05-01 10:32:43

  • Target version set to Tails_1.4

Sorry, I forgot to put this as for 1.4. As it could be a workaround for the Claws Mail security issue it deserves a bit of early attention.

#2 Updated by sajolida 2015-05-03 05:38:18

  • related to Feature #9159: Test that the persistence bug of Claws is documented correctly added

#3 Updated by intrigeri 2015-05-04 04:34:21

  • Assignee set to sajolida
  • Type of work changed from Discuss to Research

During the monthly meeting we agreed that this would be good, if we can preconfigure it to not delete messages from the server by default (which makes sense especially in an amnesic live system). sajolida will investigate if we can do that.

#4 Updated by sajolida 2015-05-04 06:47:19

Actually, it’s not possible to preconfigure POP to not remove emails by default. The only things that can be preconfigured in Claws are the fields from the account assistant (and this though the account.tmpl file) :(

So we can’t apply the decision of yesterday’s meeting…

#5 Updated by sajolida 2015-05-04 06:49:38

  • Assignee deleted (sajolida)
  • Type of work changed from Research to Discuss

Deassign this from me. I’m not sure whether we should still propose IMAP by default but I’m tired of that stuff… If no clear decision is taken in time for 1.4 then this could remain an open question for the future (until we get rid of Claws).

#6 Updated by intrigeri 2015-05-04 08:11:34

> I’m not sure whether we should still propose IMAP by default

Deleting email from the server in the default email client configuration of an amnesic live system feels like a recipe for disaster, and users shouting at us because they’ve lost their email. FWIW, during yesterday’s meeting a few people seemed to voice similar opinions, and I don’t remember anyone arguing that defaulting to POP that deletes messages on the server would be good.

> but I’m tired of that stuff…

/me sends lots of Club Mate and tickets for afternoons at the beach to sajolida.

> If no clear decision is taken in time for 1.4 then this could remain an open question for the future (until we get rid of Claws).

I’m personally (surprise!) in favor of forgetting this ticket as far as Claws Mail is concerned: the mitigation it would bring us would only apply to new users anyway. Still, it’s an entirely valid question for when we move to Icedove => IMO the next step is to research if we can have “POP3 without deleting messages on the server” by default in Icedove.

#7 Updated by sajolida 2015-05-05 14:05:33

  • Priority changed from Elevated to Normal
  • Target version deleted (Tails_1.4)
  • Type of work changed from Discuss to Code

Ok, I agree with your reasoning. Let’s forget about this for Claws and keep it as a coding task for Icedove. Removing it from 1.4.

#8 Updated by sajolida 2015-05-05 14:08:16

  • Type of work changed from Code to Discuss

Hey, but then the advantages of POP over IMAP on Icedove in terms of security are not that clear. So defaulting to IMAP might still be the way to go. So that’s a discussion actually.

#9 Updated by intrigeri 2015-05-05 18:22:19

> Hey, but then the advantages of POP over IMAP on Icedove in terms of security are not that clear.

(In what follows, I’m assuming that the POP3 protocol doesn’t allow to send messages to the server — I hope I’m correct here.)

To me, the advantages in terms of security are clear: POP3 provides an additional layer of safety against software bugs or mis-configuration. E.g. say we carefully check that Icedove/Enigmail vs. IMAP + OpenPGP behaviour is currently safe, default settings can change in the future, bugs can be introduced, and as a result it can become unsafe without us noticing… potentially for years. I don’t think any such thing can happen with POP3.

Also, even careful checks can miss problems, as we’ve seen recently (it’s taken us many years to be reported the Claws Mail vs. IMAP + OpenPGP problem, and one of our top-notch contributors missed one of the main issues with Claws Mail usage of the Queue folder, even after many hours testing and investigating specifically this class of problems).

To sum up, “POP3 without deleting messages on the server” feels like both a future-proof and fool-proof default to me. But I’ve no idea if we can ask Icedove to default to that.

#10 Updated by intrigeri 2015-05-06 09:25:47

Reparenting, since that’s now a question we need to decide about for Icedove, not for Claws Mail.

#11 Updated by intrigeri 2015-05-29 12:24:14

#12 Updated by intrigeri 2015-05-29 12:44:23

  • Assignee set to kytv
  • Target version changed from Sustainability_M1 to 246

#13 Updated by intrigeri 2015-05-29 12:44:34

  • blocks #8668 added

#14 Updated by kytv 2015-07-25 03:54:33

When I added Icedove, its localization addons, and Torbirdy to the Tails package list and built a new ISO, the settings defaulted to

  ✔ Leave messages on server
      ✔ for at most 14 days
      ✔ until I delete them

If this is acceptable, we already got this for free just by installing Icedove and Torbirdy.

#15 Updated by sajolida 2015-07-28 07:17:08

First of all, keep in mind that this ticket was proposed partly because Claws Mail was leaking emails in cleartext with IMAP and not with POP. I hope this is not the case with Enigmail in Icedove. Still, POP would probably provide a more reactive interface than IMAP even in Icedove.

I think that the default options that you saw are almost acceptable but can still lead to email deletion. For example, if you download everything, then emails older than 14 days are deleted from the server and if your persistence is badly configured you might loose them forever.

So the best would be to have by default:

✔ Leave messages on server
- for at most 14 days
- until I delete them

Hopefully, I guess that Icedove will be easier to preconfigure than Claws.

#16 Updated by intrigeri 2015-08-03 04:48:03

> Hopefully, I guess that Icedove will be easier to preconfigure than Claws.

For per-account settings, I have my doubts.

#17 Updated by intrigeri 2015-08-03 04:51:02

> So the best would be to have by default:

As written above, and as discussed at a monthly meeting already, I agree we should never ship a MUA that defaults to delete email from the remote server ⇒ if that’s too hard to achieve with Icedove as well, let’s stick with IMAP by default.

#18 Updated by sajolida 2015-08-03 07:39:03

  • Type of work changed from Discuss to Research

Next step is to research whether it’s possible in Icedove to propose POP without deletion on the server by default in the configuration wizard.

#19 Updated by sajolida 2015-08-14 06:25:54

  • Deliverable for set to 268

Actually, if we can have IMAP synchronization by default: allow people to work offline or with a poor Internet connection, then I prefer it to POP.

Anyway, let’s decide on this for the first release of Icedove in Tails.

#20 Updated by kytv 2015-09-27 17:50:30

  • Target version changed from 246 to Tails_1.7

#21 Updated by anonym 2015-10-26 04:24:42

  • Priority changed from Normal to Elevated
  • QA Check set to Dev Needed

Meta: I had missed this ticket and thought that since we used IMAP in Claws, that was what we were gonna use in Icedove.

sajolida wrote:
> Next step is to research whether it’s possible in Icedove to propose POP without deletion on the server by default in the configuration wizard.

I did a tiny investigation:

  • To leave messages is the default, i.e. pref: mail.server.$ACCOUNT.leave_on_server = true. Strangely, mail.server.default.leave_on_server = false, so I don’t know why we get that (neither we nor Torbirdy tries to fix this AFAICT).
  • Unfortunately, the default is also to do it only “for at most 14 days”, i.e. pref: mail.server.$ACCOUNT.num_days_to_leave_on_server = 14. On the other hand, I downloaded a full inbox with this default without messages being deleted. Still, it doesn’t feel safe.
  • Worse, we cannot set a default like mail.server.default.num_days_to_leave_on_server = 0 because of an upstream WONTFIX bug.

Perhaps it would make sense to have Torbirdy set those two prefs sensibly upon account creation? I.e.

mail.server.$ACCOUNT.leave_on_server = true
mail.server.$ACCOUNT.num_days_to_leave_on_server = 0

#22 Updated by anonym 2015-10-26 05:46:17

I think, also, that POP vs IMAP is a question of persistent ~/.icedove vs an amnesic one. POP is a pretty bad choice in an amnesic session, and the larger the inbox, the worse it is.

I think the following is worth considering, to get the best out of two worlds:

  1. We make POP the default, since it’s safe.
  2. We make the Icedove wrapper check if ~/.icedove is persistent. If not, then we make IMAP the default.

#23 Updated by sajolida 2015-10-26 08:37:13

  • Description updated

We’re on the day before the freeze, so we should probably postpone this idea until 1.9.

I confirm what kytv said, leave_on_server is on by default with num_days_to_leave_on_server = 14 even on Icedove with Torbirdy.

Let’s go back to what was the reasons for me to propose this:

  • Security issues with IMAP and GnuPG in Claws. If we’re confident enough that this is not happening with Icedove and Enigmail and won’t ever happen, then we might discard this as an argument.
  • Speed of operation over Tor. Claws mail was very slow and I’m not sure IMAP messages were cached (nobody provide information about that). Now I checked with Icedove and emails are cached automatically (option called "Keep messages for this account on this computer).

#24 Updated by sajolida 2015-10-26 08:50:23

So yes, I agree with anonym that we could do POP if downloading to persistence, and IMAP if downloading to RAM. But that sounds quite some more work that what we should commit to for a first implementation. I read the whole thread again, and of the two reasons that were provided, the one about reactivity is pretty much dead since Icedove has caching and the one about security probably boils down to being future-proof as pointed out by intrigeri in Feature #9303#note-9.

#25 Updated by Anonymous 2015-10-26 09:33:31

I also agree with anonym’s proposal: POP if ~/.icedove is persistent else IMAP.

#26 Updated by kytv 2015-10-26 12:46:53

Sounds good to me. It’d be very difficult to do this without https://trac.torproject.org/projects/tor/ticket/17426 being addressed.

Anyone opposed to anonym’s suggestion?

#27 Updated by sajolida 2015-10-27 06:36:18

I’m fine with anonym’s suggestion. Do you think that’s realistic for Tails 1.9?

#28 Updated by kytv 2015-10-27 07:30:35

sajolida wrote:
> I’m fine with anonym’s suggestion. Do you think that’s realistic for Tails 1.9?

If allowing the default (POP3 vs IMAP) to be configurable in torbirdy (upstream ticket 17426) is done in time, yes.

#29 Updated by intrigeri 2015-10-27 11:01:48

> If making the default configurable in torbirdy (upstream ticket 17426) is done in time, yes.

Just curious: is there a plan to implement it ourselves if upstream doesn’t do so after some deadline we set?

#30 Updated by kytv 2015-11-04 09:26:13

intrigeri wrote:
> > If making the default configurable in torbirdy (upstream ticket 17426) is done in time, yes.
>
> Just curious: is there a plan to implement it ourselves if upstream doesn’t do so after some deadline we set?

That is an excellent question. I don’t know how much work it would involve and how high the learning curve would be for someone that doesn’t yet know JS to do the work.

#31 Updated by kytv 2015-11-04 09:27:02

Note: I removed the parent task because I received an error “parent task is invalid” when I tried to update this ticket.

#32 Updated by intrigeri 2015-11-05 02:36:33

#33 Updated by intrigeri 2015-11-05 02:39:24

I wonder if Torbirdy’s authors understood that what we’re asking them is not about the default their own account setup wizard should propose (in 1.9 we want to replace their wizard with Icedove’s one).

#34 Updated by sajolida 2015-11-06 01:39:39

#35 Updated by sajolida 2015-11-06 01:40:41

#36 Updated by sajolida 2015-11-06 01:41:16

Trying to update with parent task deleted again and added back.

#37 Updated by kytv 2015-11-17 15:51:42

  • Status changed from Confirmed to Resolved
  • Assignee deleted (kytv)
  • QA Check deleted (Dev Needed)

Created Feature #10574 for the implementation.

#38 Updated by BitingBird 2016-06-26 08:14:00

  • % Done changed from 0 to 100