Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Zimbra Desktop sends Yahoo password in the clear (not secure)

  1. #11
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    Quote Originally Posted by holden View Post
    Really? Perhaps I'm missing something, when I connected to the Yahoo IMAP servers I had to send an ID saying I was Zimbra before they would let me authenticate. I also talked to the Yahoo! people at the hack day, and they said that Yahoo! didn't offer IMAP support.
    Then, according to what I've seen on the Intarwebs, they didn't know what they were talking about. Yahoo has supported IMAP, in one fashion or another, for some subset of customers or another, since 2006, at least.

    I didn't just use only my code to do this, I also attempted it in evolution since I figured my IMAP implementation could be a bit off. Perhaps I missed something incredibly obvious (does happen from time to time). I'd be very interested in knowing what the correct IMAP settings are, rather than my reverse engineered ones since that would help with a project I am working on. Could you provide a pointer to that? It would be greatly appreciated, thanks
    A pointer to what? How to make an SSL session to a server that refuses it?

    No, I'm pretty sure no one has a pointer to that.

    I'm under the impression that I was reasonably civil, but we often have better opinions of our own behavior.

    As to why you should be civil in general, I can't really make a good argument for that but it certainly would make this discussion easier.
    Holder has to be easier to get along with; he works there, I don't.

    And I'm not being uncivil.

    "Uncivil" would be "copyedit your blog before you hit post, dude; all the typos make you look dumb".

    Before dragging Zimbra's name into something that doesn't really have all that much to do with them -- if Yahoomail's server refuse IMAP/TLS, that's really not Zimbra's fault -- you should have done some more due diligence.

    I'm not trying to place blame on Zimbra.
    Quote Originally Posted by slashdot
    "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team.
    Sure looks like you are to me...

    And, again: Zimbra is, so far as I can tell, a tiny little division of Yahoo, not even in the same building -- and maybe not the same state -- with Yahoomail.

    Just cause it all says Yahoo on it... furrfu.

    My goal was to get this fixed. Perhaps Yahoo! was not the people to talk to, but they were sitting right across from me, and it was for Yahoo!'s IMAP servers so I figured they would be a reasonable group to talk to.
    And well they should have been.

    So, how does that justify your lede?

    Not in the chain of command? Maybe I don't understand how this works, but they were on the dev side of Yahoo! (not like HR or ops). If they had asked me to talk to someone specific at Zimbra I certainly would have, but they were just uninterested. If you feel that my blog post was uncalled for, I would respectfully disagree, but I think this is one of those situations where neither of us will convince the other, so agreeing to disagree may be the best course of action?
    I agree that if Yahoo mail people were uninterested that Yahoo mail's servers refused IMAP/TLS, that they suck, but we already knew Yahoomail sucked.

    I just don't see how that justifies dragging Zimbra's name through Slashdot's mud.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  2. #12
    Join Date
    Jun 2008
    Posts
    5
    Rep Power
    7

    Default

    Quote Originally Posted by Baylink View Post

    A pointer to what? How to make an SSL session to a server that refuses it?

    No, I'm pretty sure no one has a pointer to that.
    A bit of misunderstanding, your previous post implied that more than just Zimbra could talk to the IMAP servers, I would like information about that. They did have a beta awhile back in 2006ish with IMAP, but those servers are no longer online.

    And I'm not being uncivil.

    "Uncivil" would be "copyedit your blog before you hit post, dude; all the typos make you look dumb".
    If that is your personal bar, very well. To each his own

    So, how does that justify your lede?
    My understanding was no one was interested, so the best way to get the security bug fixed was notifying the public.

    As far as the slashdot story, I was (and still am) under the impression that the IMAP servers were set up specifically for Zimbra, and the security problem only affects Zimbra desktop users, so really I see no away around mention Zimbra. Perhaps I could have found better wording, but I had just done a 24-hour hack day.

    Anyways, we don't seem to be going anywhere productive with this so I'm going to go back to writing code for awhile. Cheers

  3. #13
    Join Date
    Jul 2008
    Posts
    11
    Rep Power
    7

    Default

    Quote Originally Posted by holden View Post
    A bit of misunderstanding, your previous post implied that more than just Zimbra could talk to the IMAP servers, I would like information about that. They did have a beta awhile back in 2006ish with IMAP, but those servers are no longer online.
    As far as I'm aware, the only other device/program that uses IMAP with Yahoo Mail is the IPhone's Yahoo Mail application.

  4. #14
    Join Date
    Jan 2007
    Posts
    1,688
    Rep Power
    11

    Default

    Quote Originally Posted by holden View Post
    Why wasn't SSL enabled in the first place?
    Also, I find it a bit odd that its fixed in your code base, when I attempted to connect using SSL with the Yahoo IMAP servers they promptly hung up on me, are there some changes to be rolled out to the Yahoo IMAP servers as well?
    (or have you gone to even greater lengths to obfuscate the IMAP connection between Zimbra & Yahoo to keep third parties out)?
    this issue has been addressed from yahoo mail server side and the patches have just been rolled out to all servers. we added related support in desktop client code and it's in the next release. once we roll out the next release, server will phase out the old way of authentication. the new way of authentication will not send password over clear channels.

  5. #15
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    Quote Originally Posted by Morac View Post
    As far as I'm aware, the only other device/program that uses IMAP with Yahoo Mail is the IPhone's Yahoo Mail application.
    Well, lots of mid-2007 forum traffic suggests that the iPhone has (or had) some IMAP access to Yahoomail as well; I was going on that, and hadn't seen that the earlier betas had been killed.

    Was the iPhone dropped as well?

    John, could we get an authoritative answer from whatever contacts you might have on the production side as to exactly what the IMAP situation is for Yahoomail (and hosted domains, of course, which was another part of my assertion)?
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  6. #16
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    Additionally:

    Code:
    113-253:/windows/E/proj # dig imap.apple.mail.yahoo.com
    
    ; <<>> DiG 9.3.2 <<>> imap.apple.mail.yahoo.com
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65181
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 7
    
    ;; QUESTION SECTION:
    ;imap.apple.mail.yahoo.com.     IN      A
    
    ;; ANSWER SECTION:
    imap.apple.mail.yahoo.com. 1800 IN      CNAME   imap.mail.yahoo.com.
    imap.mail.yahoo.com.    600     IN      CNAME   imap.mail.global.yahoo-ht2.akadns.net.
    imap.mail.global.yahoo-ht2.akadns.net. 300 IN CNAME imap-us.mail.yahoo.com.
    imap-us.mail.yahoo.com. 1800    IN      A       76.13.13.150
    imap-us.mail.yahoo.com. 1800    IN      A       74.6.114.111
    See also: Free Yahoo IMAP? Where? - Mac Forums
    Last edited by Baylink; 09-29-2008 at 09:47 AM.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  7. #17
    Join Date
    Jan 2007
    Posts
    1,688
    Rep Power
    11

    Default

    iphone does have access to yahoo mail IMAP, and so do WM6 phones.

  8. #18
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    See? I thought so.

    Holden; I hope this answers your question. No, I don't have any details, but yes, there is some 'official' IMAP access to some Yahoo hosted mail from some devices.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

Similar Threads

  1. Zimbra spam system
    By rajahd in forum Administrators
    Replies: 9
    Last Post: 04-16-2008, 07:25 PM
  2. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 08:56 PM
  3. [SOLVED] Error Installing Zimbra on RHEL 5
    By harris7139 in forum Installation
    Replies: 10
    Last Post: 09-25-2007, 11:39 AM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM
  5. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •