diff --git a/FAQ.md b/FAQ.md
index adad2f1d87..79f63357ad 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -104,7 +104,7 @@ FairEmail follows all the best practices for an email client as decribed in [thi
* [(1) Which permissions are needed and why?](#user-content-faq1)
* [(2) Why is there a permanent notification shown?](#user-content-faq2)
* [(3) What are operations and why are they pending?](#user-content-faq3)
-* [(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?](#user-content-faq4)
+* [(4) How can I use an invalid security certificate / empty password / plain text connection?](#user-content-faq4)
* [(5) How can I customize the message view?](#user-content-faq5)
* [(6) How can I login to Gmail / G suite?](#user-content-faq6)
* [(7) Why are sent messages not appearing (directly) in the sent folder?](#user-content-faq7)
@@ -345,24 +345,29 @@ See also [this FAQ](#user-content-faq16).
-**(4) How can I use an invalid security certificate / IMAP STARTTLS / an empty password?**
+**(4) How can I use an invalid security certificate / empty password / plain text connection?**
-Invalid security certificate (*Can't verify identity of server*): you should try to fix this by contacting your provider or by getting a valid security certificate
+*Invalid security certificate* (Can't verify identity of server)
+
+You should try to fix this by contacting your provider or by getting a valid security certificate
because invalid security certificates are insecure and allow [man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
If money is an obstacle, you can get free security certificates from [Let’s Encrypt](https://letsencrypt.org).
Note that older Android versions might not recognize newer certification authorities like Let’s Encrypt causing connections to be considered insecure,
see also [here](https://developer.android.com/training/articles/security-ssl).
-IMAP STARTTLS: the EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery):
-"*Additionally, even if you configure STARTTLS perfectly and use a valid certificate, there’s still no guarantee your communication will be encrypted.*"
+*Empty password*
-Empty password: your username is likely easily guessed, so this is very insecure.
+Your username is likely easily guessed, so this is insecure.
-If you still want to use an invalid security certificate, IMAP STARTTLS or an empty password,
+*Plain text connection*
+
+Your username and password and all messages will be sent and received unencrypted, which is **very insecure**
+because a [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) is very simple on an unecrypted connection.
+
+If you still want to use an invalid security certificate, an empty password or a plain text connection
you'll need to enable insecure connections in the account and/or identity settings.
-
-Connections without encryption (either SSL or STARTTLS) are not supported because this is very insecure.
+STARTTLS should be selected for plain text connections.
@@ -1077,7 +1082,7 @@ The following information is needed:
```
// this is not needed
+
```
The EFF [writes](https://www.eff.org/nl/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery):
diff --git a/app/src/main/java/eu/faircode/email/MailService.java b/app/src/main/java/eu/faircode/email/MailService.java
index c90faa8d81..e8b7cbcf28 100644
--- a/app/src/main/java/eu/faircode/email/MailService.java
+++ b/app/src/main/java/eu/faircode/email/MailService.java
@@ -18,7 +18,6 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
-import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.ExecutorService;
@@ -61,6 +60,7 @@ public class MailService implements AutoCloseable {
this.context = context.getApplicationContext();
this.protocol = protocol;
this.debug = debug;
+
properties = MessageHelper.getSessionProperties();
properties.put("mail.event.scope", "folder");
@@ -69,19 +69,20 @@ public class MailService implements AutoCloseable {
properties.put("mail." + protocol + ".sasl.realm", realm == null ? "" : realm);
properties.put("mail." + protocol + ".auth.ntlm.domain", realm == null ? "" : realm);
- String checkserveridentity = Boolean.toString(!insecure).toLowerCase(Locale.ROOT);
+ if (debug && BuildConfig.DEBUG)
+ properties.put("mail.debug.auth", "true");
if ("pop3".equals(protocol) || "pop3s".equals(protocol)) {
this.debug = true;
// https://javaee.github.io/javamail/docs/api/com/sun/mail/pop3/package-summary.html#properties
- properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
+ properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.pop3s.starttls.enable", "false");
properties.put("mail.pop3.starttls.enable", "true");
- properties.put("mail.pop3.starttls.required", "true");
+ properties.put("mail.pop3.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@@ -90,13 +91,13 @@ public class MailService implements AutoCloseable {
} else if ("imap".equals(protocol) || "imaps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/imap/package-summary.html#properties
- properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
+ properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.imaps.starttls.enable", "false");
properties.put("mail.imap.starttls.enable", "true");
- properties.put("mail.imap.starttls.required", "true");
+ properties.put("mail.imap.starttls.required", Boolean.toString(!insecure));
// TODO: make timeouts configurable?
properties.put("mail." + protocol + ".connectiontimeout", Integer.toString(CONNECT_TIMEOUT));
@@ -122,13 +123,13 @@ public class MailService implements AutoCloseable {
} else if ("smtp".equals(protocol) || "smtps".equals(protocol)) {
// https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html#properties
- properties.put("mail." + protocol + ".ssl.checkserveridentity", checkserveridentity);
+ properties.put("mail." + protocol + ".ssl.checkserveridentity", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".ssl.trust", "*");
properties.put("mail.smtps.starttls.enable", "false");
properties.put("mail.smtp.starttls.enable", "true");
- properties.put("mail.smtp.starttls.required", "true");
+ properties.put("mail.smtp.starttls.required", Boolean.toString(!insecure));
properties.put("mail." + protocol + ".auth", "true");
diff --git a/app/src/main/res/layout/fragment_account.xml b/app/src/main/res/layout/fragment_account.xml
index 53647cd0d2..c47d5752a3 100644
--- a/app/src/main/res/layout/fragment_account.xml
+++ b/app/src/main/res/layout/fragment_account.xml
@@ -171,6 +171,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/rgEncryption" />
+
+
+ app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
+ tvImap,tvActiveSyncSupport,tvHost,etHost,rgEncryption,cbInsecure,tvInsecureRemark,tvPort,etPort" />
+
+
+ app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
+
+
+ app:layout_constraintTop_toBottomOf="@id/tvInsecureRemark" />
SSL/TLS
STARTTLS
Allow insecure connections
+ Insecure connections should only be allowed on trusted networks and never on public networks
Port number
User name
Password