Commit f9142ca6 authored by intrigeri's avatar intrigeri

Patch Thunderbird packages from Debian when building Tails images (refs: #16834, #6156).

This avoids the need to build and upload Thunderbird packages every now and
then. Instead, we'll need to refresh our patches when they don't apply
as-is anymore.

Current patchset imported from our icedove.git at
commit a3eab1e85558f2c9cf01d332920ac81fea3cd9fd.
parent ce2a6d5f
......@@ -76,11 +76,6 @@ Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-sou
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: We ship our custom-built Thunderbird for now, see #6156
Package: thunderbird* calendar-google-provider
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: src:libdrm
Package: libdrm*
Pin: release o=Debian,n=stretch-backports
......
#!/bin/sh
set -e
set -u
echo "Patching the Thunderbird account setup wizard"
# Import strip_nondeterminism_wrapper
. /usr/local/lib/tails-shell-library/build.sh
OMNI_JA=/usr/share/thunderbird/omni.ja
/usr/share/tails/build/patch-thunderbird \
"$OMNI_JA" \
/usr/share/tails/build/thunderbird-patches
strip_nondeterminism_wrapper \
--type zip \
--timestamp "$SOURCE_DATE_EPOCH" \
"$OMNI_JA" 2>/dev/null
#!/bin/sh
set -e
set -u
OMNI_JA="$1"
PATCHES_DIRECTORY=$(readlink -f "$2")
[ -r "$OMNI_JA" ] || exit 1
[ -d "$PATCHES_DIRECTORY" ] || exit 2
tmpdir="$(mktemp -d)"
(
cd "${tmpdir}"
# due to the weird omni.ja format, 7z will exit with non-zero code,
# that we need to override
7z x -tzip "$OMNI_JA" || true
for patch in $(cat "$PATCHES_DIRECTORY"/series) ; do
cat "$PATCHES_DIRECTORY/$patch" \
| perl -p -E 's{^(--- [ab])/comm/mail/components/accountcreation/content/}{$1/chrome/messenger/content/messenger/accountcreation/}' \
| perl -p -E 's{^(--- [ab])/comm/mailnews/}{$1/defaults/pref/}' \
| patch -p1
done
find . -name *.js -exec touch --date="@$SOURCE_DATE_EPOCH" '{}' \;
rm "$OMNI_JA"
7z a -mtc=off -tzip "$OMNI_JA" *
)
rm -r "${tmpdir}"
From bb7b4741004c367132869b56dbd62a829ac67167 Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Wed, 27 Feb 2019 09:54:59 +0100
Subject: [PATCH] Add SOCKS proxy support for account guessing.
Any configured SOCKS proxy will be used while probing servers, but
HTTP(s) proxies etc will be ignored since they are not
applicable. This solves Mozilla bug #669238:
https://bugzilla.mozilla.org/show_bug.cgi?id=669238
Refreshed-by: Cyril Brulebois <ckb@riseup.net>
Backported from TB 66 to TB 65, dropping reindentation to have a
higher chance of applying this patch successfully against further
65.x releases.
--- a/comm/mail/components/accountcreation/content/guessConfig.js
+++ b/comm/mail/components/accountcreation/content/guessConfig.js
@@ -467,9 +467,18 @@ HostDetector.prototype =
if (i == 0) // showing 50 servers at once is pointless
this.mProgressCallback(thisTry);
+ // This implements the nsIProtocolProxyCallback interface:
+ function ProxyResolveCallback() { }
+ ProxyResolveCallback.prototype = {
+ onProxyAvailable : function(req, uri, proxyInfo, status) {
+ // Anything but a SOCKS proxy will be unusable for the probes.
+ if (proxyInfo != null && proxyInfo.type != "socks" &&
+ proxyInfo.type != "socks4") {
+ proxyInfo = null;
+ }
thisTry.abortable = SocketUtil(
thisTry.hostname, thisTry.port, thisTry.ssl,
- thisTry.commands, TIMEOUT,
+ thisTry.commands, TIMEOUT, proxyInfo,
new SSLErrorHandler(thisTry, this._log),
function(wiredata) // result callback
{
@@ -487,6 +496,21 @@ HostDetector.prototype =
thisTry.status = kFailed;
me._checkFinished();
});
+ }
+ };
+
+ var proxyService = Cc["@mozilla.org/network/protocol-proxy-service;1"]
+ .getService(Ci.nsIProtocolProxyService);
+ // Use some arbitrary scheme just because it is required...
+ var uri = Services.io.newURI("http://" + thisTry.hostname, null, null);
+ // ... we'll ignore it any way. We prefer SOCKS since that's the
+ // only thing we can use for email protocols.
+ var proxyFlags = Ci.nsIProtocolProxyService.RESOLVE_IGNORE_URI_SCHEME |
+ Ci.nsIProtocolProxyService.RESOLVE_PREFER_SOCKS_PROXY;
+ if (Services.prefs.getBoolPref("network.proxy.socks_remote_dns")) {
+ proxyFlags |= Ci.nsIProtocolProxyService.RESOLVE_ALWAYS_TUNNEL;
+ }
+ proxyService.asyncResolve(uri, proxyFlags, new ProxyResolveCallback());
thisTry.status = kOngoing;
}
},
@@ -1019,13 +1043,14 @@ SSLErrorHandler.prototype =
* @param commands {Array of String}: protocol commands
* to send to the server.
* @param timeout {Integer} seconds to wait for a server response, then cancel.
+ * @param proxy {nsIProxyInfo} The proxy to use (or null to not use any).
* @param sslErrorHandler {SSLErrorHandler}
* @param resultCallback {function(wiredata)} This function will
* be called with the result string array from the server
* or null if no communication occurred.
* @param errorCallback {function(e)}
*/
-function SocketUtil(hostname, port, ssl, commands, timeout,
+function SocketUtil(hostname, port, ssl, commands, timeout, proxy,
sslErrorHandler, resultCallback, errorCallback)
{
assert(commands && commands.length, "need commands");
@@ -1064,7 +1089,7 @@ function SocketUtil(hostname, port, ssl,
var socketTypeName = ssl == SSL ? "ssl" : (ssl == TLS ? "starttls" : null);
var transport = transportService.createTransport([socketTypeName],
ssl == NONE ? 0 : 1,
- hostname, port, null);
+ hostname, port, proxy);
transport.setTimeout(Ci.nsISocketTransport.TIMEOUT_CONNECT, timeout);
transport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, timeout);
From b0ca355e118dd7d4bf147550fbce8ddd23140c8e Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Wed, 27 Feb 2019 09:44:54 +0100
Subject: [PATCH] Add comment for pref.
All other prefs in this section have comments, so not commenting this
one may even be confusing ("does the comment for
fetchFromExchange.enable also apply to guess.enabled?").
---
comm/mailnews/mailnews.js | 3 +++
1 file changed, 3 insertions(+)
--- a/comm/mailnews/mailnews.js
+++ b/comm/mailnews/mailnews.js
@@ -908,6 +908,9 @@ pref("mailnews.auto_config.fetchFromISP.
// This also sends the email address and password to the server,
// which the protocol unfortunately requires in practice.
pref("mailnews.auto_config.fetchFromExchange.enabled", true);
+// Whether we will attempt to guess the account configuration based on
+// protocol default ports and common domain practices
+// (e.g. {mail,pop,imap,smtp}.<email-domain>).
pref("mailnews.auto_config.guess.enabled", true);
// Work around bug 1454325 by disabling mimetype mungling in XmlHttpRequest
pref("dom.xhr.standard_content_type_normalization", false);
From c143a7e31885968afa1488f0a103676a84fa183f Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Wed, 27 Feb 2019 10:44:24 +0100
Subject: [PATCH] Add pref for setting the autoconfiguration guess timeout.
The static 10 seconds is not enough for Tor users (delay spikes of 10
seconds is not uncommon), so let's make it possible for the TorBirdy
extension to override this timeout.
---
comm/mail/components/accountcreation/content/guessConfig.js | 5 ++---
comm/mailnews/mailnews.js | 2 ++
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/comm/mail/components/accountcreation/content/guessConfig.js
+++ b/comm/mail/components/accountcreation/content/guessConfig.js
@@ -6,8 +6,6 @@
ChromeUtils.import("resource:///modules/gloda/log4moz.js");
ChromeUtils.import("resource://gre/modules/Services.jsm");
-var TIMEOUT = 10; // in seconds
-
// This is a bit ugly - we set outgoingDone to false
// when emailWizard.js cancels the outgoing probe because the user picked
// an outoing server. It does this by poking the probeAbortable object,
@@ -456,6 +454,7 @@ HostDetector.prototype =
if (this._cancel)
return;
var me = this;
+ var timeout = Services.prefs.getIntPref("mailnews.auto_config.guess.timeout");
for (let i = 0; i < this._hostsToTry.length; i++)
{
let thisTry = this._hostsToTry[i]; // {HostTry}
@@ -478,7 +477,7 @@ HostDetector.prototype =
}
thisTry.abortable = SocketUtil(
thisTry.hostname, thisTry.port, thisTry.ssl,
- thisTry.commands, TIMEOUT, proxyInfo,
+ thisTry.commands, timeout, proxyInfo,
new SSLErrorHandler(thisTry, this._log),
function(wiredata) // result callback
{
--- a/comm/mailnews/mailnews.js
+++ b/comm/mailnews/mailnews.js
@@ -918,6 +918,8 @@ pref("mailnews.auto_config.ssl_only_conf
// protocol default ports and common domain practices
// (e.g. {mail,pop,imap,smtp}.<email-domain>).
pref("mailnews.auto_config.guess.enabled", true);
+// The timeout (in seconds) for each guess
+pref("mailnews.auto_config.guess.timeout", 10);
// Whether we allow fetched configurations using OAuth2.
pref("mailnews.auto_config.account_constraints.allow_oauth2", true);
// Work around bug 1454325 by disabling mimetype mungling in XmlHttpRequest
From 619c17e0dc3d1cbfdf3859b18c9e71ec00694f9c Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Wed, 27 Feb 2019 10:59:33 +0100
Subject: [PATCH] Add pref for whether to accept plaintext protocols during
autoconfiguration.
Let's make it possible for security-focused distributions (and
extensions like TorBirdy) to prevent insecure configurations to ever
be displayed to users; for other users there is a warning explaining
the consequences of accepting a non-SSL configuration.
--- a/comm/mail/components/accountcreation/content/guessConfig.js
+++ b/comm/mail/components/accountcreation/content/guessConfig.js
@@ -412,6 +412,7 @@ HostDetector.prototype =
{ "imap" : IMAP, "pop3" : POP, "smtp" : SMTP }, UNKNOWN);
if (!port)
port = UNKNOWN;
+ var ssl_only = Services.prefs.getBoolPref("mailnews.auto_config.ssl_only_mail_servers");
var ssl = ConvertSocketTypeToSSL(socketType);
this._cancel = false;
this._log.info("doing auto detect for protocol " + protocol +
@@ -435,6 +436,8 @@ HostDetector.prototype =
for (let j = 0; j < hostEntries.length; j++)
{
let hostTry = hostEntries[j]; // from getHostEntry()
+ if (ssl_only && hostTry.ssl == NONE)
+ continue;
hostTry.hostname = hostname;
hostTry.status = kNotTried;
hostTry.desc = hostTry.hostname + ":" + hostTry.port +
--- a/comm/mail/components/accountcreation/content/readFromXML.js
+++ b/comm/mail/components/accountcreation/content/readFromXML.js
@@ -29,6 +29,8 @@ function readFromXML(clientConfigXML)
}
var allow_oauth2 =
Services.prefs.getBoolPref("mailnews.auto_config.account_constraints.allow_oauth2");
+ var ssl_only =
+ Services.prefs.getBoolPref("mailnews.auto_config.ssl_only_mail_servers");
var exception;
if (typeof(clientConfigXML) != "object" ||
!("clientConfig" in clientConfigXML) ||
@@ -92,6 +94,10 @@ function readFromXML(clientConfigXML)
throw exception ? exception : "need proper <socketType> in XML";
exception = null;
+ if (ssl_only && iO.socketType == 1) {
+ continue;
+ }
+
for (let iXauth of array_or_undef(iX.$authentication))
{
try {
@@ -177,6 +183,10 @@ function readFromXML(clientConfigXML)
throw exception ? exception : "need proper <socketType> in XML";
exception = null;
+ if (ssl_only && oO.socketType == 1) {
+ continue;
+ }
+
for (let oXauth of array_or_undef(oX.$authentication))
{
try {
--- a/comm/mailnews/mailnews.js
+++ b/comm/mailnews/mailnews.js
@@ -922,6 +922,12 @@ pref("mailnews.auto_config.guess.enabled
pref("mailnews.auto_config.guess.timeout", 10);
// Whether we allow fetched configurations using OAuth2.
pref("mailnews.auto_config.account_constraints.allow_oauth2", true);
+// Whether we allow fetched account configurations that employs
+// non-SSL/TLS protocols. With this option set, insecure
+// configurations are never presented to the user; with this option
+// unset, users picking an insecure configuration will get a warning
+// and have to opt-in.
+pref("mailnews.auto_config.ssl_only_mail_servers", false);
// Work around bug 1454325 by disabling mimetype mungling in XmlHttpRequest
pref("dom.xhr.standard_content_type_normalization", false);
From bd42ea2e3864f97608530d3f79efb8f816f2c71a Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Wed, 27 Feb 2019 10:34:33 +0100
Subject: [PATCH] Add pref for whether we accept OAuth2 during
autoconfiguration.
For many providers JavaScript is required for OAuth2 to work; with it
disabled autoconfiguration then result in a terrible UX (e.g. the web
login fails, has to manually alter the authentication method). Let's
provide a pref that discards OAuth2 configurations so e.g. extensions
that disables JavaScript (like TorBirdy) can provide a workaround.
---
.../accountcreation/content/emailWizard.js | 56 ++++++++++++----------
.../accountcreation/content/readFromXML.js | 14 ++++++
comm/mailnews/mailnews.js | 2 +
3 files changed, 46 insertions(+), 26 deletions(-)
--- a/comm/mail/components/accountcreation/content/emailWizard.js
+++ b/comm/mail/components/accountcreation/content/emailWizard.js
@@ -1210,19 +1210,21 @@ EmailConfigWizard.prototype =
}
this.fillPortDropdown(config.incoming.type);
- // If the hostname supports OAuth2 and imap is enabled, enable OAuth2.
- let iDetails = OAuth2Providers.getHostnameDetails(config.incoming.hostname);
- if (iDetails) {
- gEmailWizardLogger.info("OAuth2 details for incoming server " +
- config.incoming.hostname + " is " + iDetails);
- }
- e("in-authMethod-oauth2").hidden = !(iDetails && e("incoming_protocol").value == 1);
- if (!e("in-authMethod-oauth2").hidden) {
- config.oauthSettings = {};
- [config.oauthSettings.issuer, config.oauthSettings.scope] = iDetails;
- // oauthsettings are not stored nor changeable in the user interface, so just
- // store them in the base configuration.
- this._currentConfig.oauthSettings = config.oauthSettings;
+ if (Services.prefs.getBoolPref("mailnews.auto_config.account_constraints.allow_oauth2")) {
+ // If the hostname supports OAuth2 and imap is enabled, enable OAuth2.
+ let iDetails = OAuth2Providers.getHostnameDetails(config.incoming.hostname);
+ if (iDetails) {
+ gEmailWizardLogger.info("OAuth2 details for incoming server " +
+ config.incoming.hostname + " is " + iDetails);
+ }
+ e("in-authMethod-oauth2").hidden = !(iDetails && e("incoming_protocol").value == 1);
+ if (!e("in-authMethod-oauth2").hidden) {
+ config.oauthSettings = {};
+ [config.oauthSettings.issuer, config.oauthSettings.scope] = iDetails;
+ // oauthsettings are not stored nor changeable in the user interface, so just
+ // store them in the base configuration.
+ this._currentConfig.oauthSettings = config.oauthSettings;
+ }
}
// outgoing server
@@ -1241,19 +1243,21 @@ EmailConfigWizard.prototype =
this.adjustOutgoingPortToSSLAndProtocol(config);
}
- // If the hostname supports OAuth2 and imap is enabled, enable OAuth2.
- let oDetails = OAuth2Providers.getHostnameDetails(config.outgoing.hostname);
- if (oDetails) {
- gEmailWizardLogger.info("OAuth2 details for outgoing server " +
- config.outgoing.hostname + " is " + oDetails);
- }
- e("out-authMethod-oauth2").hidden = !oDetails;
- if (!e("out-authMethod-oauth2").hidden) {
- config.oauthSettings = {};
- [config.oauthSettings.issuer, config.oauthSettings.scope] = oDetails;
- // oauthsettings are not stored nor changeable in the user interface, so just
- // store them in the base configuration.
- this._currentConfig.oauthSettings = config.oauthSettings;
+ if (Services.prefs.getBoolPref("mailnews.auto_config.account_constraints.allow_oauth2")) {
+ // If the hostname supports OAuth2 and imap is enabled, enable OAuth2.
+ let oDetails = OAuth2Providers.getHostnameDetails(config.outgoing.hostname);
+ if (oDetails) {
+ gEmailWizardLogger.info("OAuth2 details for outgoing server " +
+ config.outgoing.hostname + " is " + oDetails);
+ }
+ e("out-authMethod-oauth2").hidden = !oDetails;
+ if (!e("out-authMethod-oauth2").hidden) {
+ config.oauthSettings = {};
+ [config.oauthSettings.issuer, config.oauthSettings.scope] = oDetails;
+ // oauthsettings are not stored nor changeable in the user interface, so just
+ // store them in the base configuration.
+ this._currentConfig.oauthSettings = config.oauthSettings;
+ }
}
// populate fields even if existingServerKey, in case user changes back
--- a/comm/mail/components/accountcreation/content/readFromXML.js
+++ b/comm/mail/components/accountcreation/content/readFromXML.js
@@ -4,6 +4,8 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
ChromeUtils.import("resource:///modules/hostnameUtils.jsm");
+ChromeUtils.import("resource://gre/modules/Services.jsm");
+
/* eslint-disable complexity */
/**
@@ -25,6 +27,8 @@ function readFromXML(clientConfigXML)
function array_or_undef(value) {
return value === undefined ? [] : value;
}
+ var allow_oauth2 =
+ Services.prefs.getBoolPref("mailnews.auto_config.account_constraints.allow_oauth2");
var exception;
if (typeof(clientConfigXML) != "object" ||
!("clientConfig" in clientConfigXML) ||
@@ -101,6 +105,12 @@ function readFromXML(clientConfigXML)
"GSSAPI" : Ci.nsMsgAuthMethod.GSSAPI,
"NTLM" : Ci.nsMsgAuthMethod.NTLM,
"OAuth2" : Ci.nsMsgAuthMethod.OAuth2 });
+
+ if (!allow_oauth2 && iO.auth == Ci.nsMsgAuthMethod.OAuth2) {
+ iO.auth = null;
+ continue;
+ }
+
break; // take first that we support
} catch (e) { exception = e; }
}
@@ -188,6 +198,11 @@ function readFromXML(clientConfigXML)
"OAuth2" : Ci.nsMsgAuthMethod.OAuth2,
});
+ if (!allow_oauth2 && oO.auth == Ci.nsMsgAuthMethod.OAuth2) {
+ oO.auth = null;
+ continue;
+ }
+
break; // take first that we support
} catch (e) { exception = e; }
}
--- a/comm/mailnews/mailnews.js
+++ b/comm/mailnews/mailnews.js
@@ -918,6 +918,8 @@ pref("mailnews.auto_config.ssl_only_conf
// protocol default ports and common domain practices
// (e.g. {mail,pop,imap,smtp}.<email-domain>).
pref("mailnews.auto_config.guess.enabled", true);
+// Whether we allow fetched configurations using OAuth2.
+pref("mailnews.auto_config.account_constraints.allow_oauth2", true);
// Work around bug 1454325 by disabling mimetype mungling in XmlHttpRequest
pref("dom.xhr.standard_content_type_normalization", false);
From d92fb58922f0abd9f1b7f27b0506a146b49a6a98 Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Wed, 27 Feb 2019 10:14:20 +0100
Subject: [PATCH] Also fetch ISP configuration using SSL.
Now we support ISPs who only serve .well-known over SSL.
This also increases defenses against eavesdroppers somewhat (who could
snoop your username [0]), but for active attackers the "downgrade"
attack that forces plaintext is trivial: just block all SSL
traffic. So a Man-in-the-middle still gets full control over the
client configuration.
It would be reasonable to only do SSL by default, but it is not an
option in certain enterprise deployments, so instead we allow
security-focused distributions (and extensions like TorBirdy) to
control the behavior via a new boolean pref:
mailnews.auto_config.ssl_only_config_servers
When set to true ISP fetches are done using SSL only, but it defaults
to false which allows insecure fetches as well.
[0] See the mailnews.auto_config.fetchFromISP.sendEmailAddress pref.
---
.../accountcreation/content/fetchConfig.js | 32 +++++++++++-----------
comm/mailnews/mailnews.js | 13 ++++++---
2 files changed, 25 insertions(+), 20 deletions(-)
--- a/comm/mail/components/accountcreation/content/fetchConfig.js
+++ b/comm/mail/components/accountcreation/content/fetchConfig.js
@@ -65,11 +65,16 @@ function fetchConfigFromISP(domain, emai
return new Abortable();
}
- let url1 = "http://autoconfig." + sanitize.hostname(domain) +
- "/mail/config-v1.1.xml";
+ let conf1 = "autoconfig." + sanitize.hostname(domain) +
+ "/mail/config-v1.1.xml";
// .well-known/ <http://tools.ietf.org/html/draft-nottingham-site-meta-04>
- let url2 = "http://" + sanitize.hostname(domain) +
- "/.well-known/autoconfig/mail/config-v1.1.xml";
+ let conf2 = sanitize.hostname(domain) +
+ "/.well-known/autoconfig/mail/config-v1.1.xml";
+ // This list is sorted by priority
+ var urls = ["https://" + conf1, "https://" + conf2];
+ if (!Services.prefs.getBoolPref("mailnews.auto_config.ssl_only_config_servers")) {
+ urls.push("http://" + conf1, "http://" + conf2);
+ }
let callArgs = {
urlArgs: {
emailaddress: emailAddress,
@@ -85,18 +90,13 @@ function fetchConfigFromISP(domain, emai
let priority = new PriorityOrderAbortable(
xml => successCallback(readFromXML(xml)),
errorCallback);
-
- call = priority.addCall();
- fetch = new FetchHTTP(url1, callArgs,
- call.successCallback(), call.errorCallback());
- call.setAbortable(fetch);
- fetch.start();
-
- call = priority.addCall();
- fetch = new FetchHTTP(url2, callArgs,
- call.successCallback(), call.errorCallback());
- call.setAbortable(fetch);
- fetch.start();
+ for (let url of urls) {
+ call = priority.addCall();
+ fetch = new FetchHTTP(url, callArgs,
+ call.successCallback(), call.errorCallback());
+ call.setAbortable(fetch);
+ fetch.start();
+ }
return priority;
}
--- a/comm/mailnews/mailnews.js
+++ b/comm/mailnews/mailnews.js
@@ -898,16 +898,21 @@ pref("mailnews.auto_config_url", "https:
pref("mailnews.mx_service_url", "https://live.thunderbird.net/dns/mx/");
// The list of addons which can handle certain account types
pref("mailnews.auto_config.addons_url", "https://live.thunderbird.net/autoconfig/addons.json");
-// Allow to contact ISP (email address domain)
-// This happens via insecure means (HTTP), so the config cannot be trusted,
-// and also contains the email address
+// Whether to contact the ISP (email address domain).
+// This may happen via insecure means (HTTP) susceptible to eavesdropping and MitM.
pref("mailnews.auto_config.fetchFromISP.enabled", true);
-// Allow the fetch from ISP via HTTP, but not the email address
+// Whether we tell the ISP our username. Note that the username will
+// leak in plaintext if a non-SSL fetch is performed.
pref("mailnews.auto_config.fetchFromISP.sendEmailAddress", true);
// Allow the Microsoft Exchange AutoDiscover protocol.
// This also sends the email address and password to the server,
// which the protocol unfortunately requires in practice.
pref("mailnews.auto_config.fetchFromExchange.enabled", true);
+// Whether we will only allow SSL channels when fetching.
+// When false an active attacker can block non-SSL fetches and then
+// MitM the HTTP fetch, granting the attacker full control over the
+// client configuration.
+pref("mailnews.auto_config.ssl_only_config_servers", false);
// Whether we will attempt to guess the account configuration based on
// protocol default ports and common domain practices
// (e.g. {mail,pop,imap,smtp}.<email-domain>).
From 262f0bc5f69a57d9dc07e0e4ee9ff3d5528a450a Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Wed, 27 Feb 2019 10:49:36 +0100
Subject: [PATCH] Improve logging of guess instances.
The logging done in _processResult() is pretty useless since they
contain no reference to which probe they're about.
--- a/comm/mail/components/accountcreation/content/emailWizard.js
+++ b/comm/mail/components/accountcreation/content/emailWizard.js
@@ -670,8 +670,9 @@ EmailConfigWizard.prototype =
self._abortable = guessConfig(domain,
function(type, hostname, port, ssl, done, config) // progress
{
- gEmailWizardLogger.info("progress callback host " + hostname +
- " port " + port + " type " + type);
+ var msg = hostname + ":" + port + " ssl=" + ssl + " " +
+ type + ": progress callback";
+ gEmailWizardLogger.info(msg);
},
function(config) // success
{
--- a/comm/mail/components/accountcreation/content/guessConfig.js
+++ b/comm/mail/components/accountcreation/content/guessConfig.js
@@ -437,6 +437,9 @@ HostDetector.prototype =
let hostTry = hostEntries[j]; // from getHostEntry()
hostTry.hostname = hostname;
hostTry.status = kNotTried;
+ hostTry.desc = hostTry.hostname + ":" + hostTry.port +
+ " ssl=" + hostTry.ssl + " " +
+ protocolToString(hostTry.protocol);
this._hostsToTry.push(hostTry);