cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet/Thunderbird SMTP security issue?

Adderman
Grafter
Posts: 36
Registered: 18-04-2008

Plusnet/Thunderbird SMTP security issue?

I originally posted the following two paragraphs on the Mozilla/TBird help forum, not realising it was probably a Plusnet SMTP issue:
"I opened TB offline and opened a previously read message. I then clicked on "forward", inserted the intended recipient and clicked on the "send later" link. The message then went as normal into my local folders "unsent" folder. Fine. I then went online via the 'file' drop down menu. This prompted the pop-up "Do you want to send the messages in your Unsent Messages folder?" I pressed yes and the message was sent.
My question is that throughout this whole process at no time was I asked for my password before the message was sent.I repeated the exercise several times - no password prompt before message despatch. Surely at the point of going online I should have been automatically prompted for my password before effectively giving authority for a message to be delivered? Theoretically I could be away from my computer and someone with a little savvy could come up and simply untick the "work offline" command and end up sending one of my old messages to someone I wouldn't want to receive it? Shouldn't all initial 'go online' commands be auto password prompted, instead of just the one when I want to get new mail?"
"Another point which makes this is more serious. Two friends also use Thunderbird. They didn't believe that I could use their computers and TB e-mail accounts to send myself messages without ever needing their passwords. So I logged into their TB offline, composed a fresh message in each, addressed to myself and clicked "Send later". (Just to prove a point I added a bit of abuse in the messages to myself!). And just like in my first posting, I then went into "work online" via the File drop menu, got the pop-up asking if I wanted to send, said Yes and- hey presto- two abusive messages sent and no online passwords asked for! Better still it was done using other folks computers!
The more I think about this the more it strikes me as a potentially serious flaw...................."

Doesn't this prove that Plusnet needs to address the SMTP authentication issue for Thunderbird?
3 REPLIES
Community Veteran
Posts: 6,332
Thanks: 478
Fixes: 43
Registered: 30-07-2007

Re: Plusnet/Thunderbird SMTP security issue?

I dont think its just a Thunderbird/PlusNet issue.
Most ISP's dont require you to authenticate to their SMTP server because all they are doing is relaying the mail onwards towards its destination. They check automatically that you are sending from one of the ISP allocated IP addresses and if so will accept mail for sending without authentication.
To collect mail via POP3 of course is different and you must authenticate each time so that it can correctly/securely identify the mail account for which you want to download the email.
PlusNet do support SMTP authorisation, which can be useful when you are away from home in that it will then allow you to send mail from a non Plusnet IP ( useful when connected to a public wireless network for instance ),
You can set Thunderbird ( and other email clients ) up to request SMTP authorisation in which case it will request the password before sending the email. However you need to note that the PlusNet SMTP server needs your primary account password for authentication NOT any password you may have set up for individual email accounts
Adderman
Grafter
Posts: 36
Registered: 18-04-2008

Re: Plusnet/Thunderbird SMTP security issue?

Thanks for the prompt reply ian. Sorry I couldn't match it - been away!
I didn't know that this issue applied to other ISPs as well. Seems a bit of a security loose end to me, especially given the circumstances I've described, however unlikely it is to actually happen.
However, I'm a little puzzled by the opening bit of your second paragraph when you say " Plusnet do support SMTP authorisation........." According to their Thunderbird help pages, they say " By default, Thunderbird will try to use a username and password when sending email. This is not an option that Plusnet supports so we need to turn this off".
Can you explain what you mean by "primary account password" ian? I only have one T/Bird account which uses the same p/w I enter for my Plusnet broadband dial up. So if I configure this in SMTP settings will it be asked for when I want to send email?
Thanks again
Adderman
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Plusnet/Thunderbird SMTP security issue?

Quote
PlusNet do support SMTP authorisation, which can be useful when you are away from home in that it will then allow you to send mail from a non Plusnet IP ( useful when connected to a public wireless network for instance ),

I get a bit confused at times, this year I have been to Cornwall, Used the Pubs WiFi, Oban, Used the centres Wifi, then Cardigan, Used the Hotels Wifi,  I just used my Eeepc with Thunderbird and IMAP, standard set up same as I use at home, no problem with receiving or transmitting.  I only have two of my mail boxes set up to send, but receive  7 mail boxes, what am I doing wrong, as obviously I was not using a PN IP