http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1558 "The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail." According to upstream, fixed in 2.9.1. http://www.claws-mail.org/news.php
Thanks for reporting. Fixed and pushed.