Red Hat Bugzilla – Bug 1477744
Emacs movemail POP is insecure
Last modified: 2017-08-04 04:47:26 EDT
Description of problem:
The program /usr/libexec/emacs/25.2/*/movemail, shipped as part of Emacs in Fedora 26, supports only insecure (plaintext) POP. This is an obvious security problem.
Version-Release number of selected component (if applicable):
Use Emacs to read your mail via POP. Your email will go over the network in the clear. Emacs movemail does not support encrypted transfer.
GNU Emacs 26 and later will address this issue by using GNU Mailutils if so configured. I suggest configuring Emacs 26 with './configure --with-mailutils', and installing GNU Mailutils as a prerequisite for Emacs.
Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is not packaged for Fedora.
(In reply to Jan Synacek from comment #1)
> Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is
> not packaged for Fedora.
Both of these things are true, and that is why I suggested configuring --with-mailutils as a long-term fix.
The security hole is an immediate problem, though. I suggest configuring Emacs --without-pop right away: this should close the hole for all versions of Emacs being shipped by Fedora. The downside is that this withdraws POP3 support from Emacs, but the support is inherently insecure in a big way (plaintext email transfer!) and should not be used.
Well, I can do that, but that would also be a regression. I don't consider this too much of a problem, because if someone uses Emacs to retrieve email over POP, they surely know what they are doing.
(In reply to Jan Synacek from comment #3)
> if someone uses Emacs to retrieve email
> over POP, they surely know what they are doing.
I'm afraid not. Emacs users typically do not know that POP3 mail retrieval works only in unencrypted mode and is inherently insecure. For example, this security problem is not specifically mentioned in:
which are among the first places that users are likely to look.
Even expert users are likely to be tripped up by this. Although I've been using Emacs since the 1980s, it came as a surprise to me that POP3 email retrieval does not support encryption. I thought that it just worked (as it works in virtually every other email client).
You're right that configuring --without-pop would be a regression. However, it's a regression that is called for in this particular case.