Icedove

Posted on by admin



The Torbutton extension installed in amnesia being incompatible withIcedove (Thunderbird), the real IP address of the computer isdisclosed to the SMTP relay that is used to send email.

Iced over gutters

When using Icedove to send email, the computer's real IP address isdisclosed to the SMTP relay, that usually writes it down toa Received: header inside outgoing email. This private informationis therefore disclosed to:

Icedove

Icedove latest versions: 68.10.0, 60.9.0. Icedove architectures: all, amd64, arm64. Icedove linux packages: deb. If the Icedove menu isn't visible, there are two ways to access it: you can either use the hamburger icon just to the right of the search box (it says “Display the Icedove Menu” when you hover over it), or right-click in the tab bar at the top of the window and select “Menu Bar”. 2018-06-17 Accepted icedove 1:52.3.0-4deb8u1 (source amd64 all) into oldstable-proposed-updates-oldstable-new, oldstable-proposed-updates (Carsten Schoenert) 2018-02-13 Removed 1:52.3.0-4 from unstable (Debian FTP Masters) 2018-02-13.

Icedove mail/news client with RSS and integrated spam filter support. Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: - CVE-2008-0412 Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine.

Icedove
  • the SMTP relay's administrators;
  • anyone who is able to read such a sent email, including: anyone theemail is sent to, various network and emailservers administrators.
Icedove

When using a NAT-ed Internet connection, the disclosed IP is a localnetwork one (e.g. 192.168.1.42), which usually does not reveal toomuch. On the other hand, when connecting directly to the Internet,e.g. using a PPP or DSL modem and no router, the disclosed IP trulyreveals the location of the amnesia user.

Upgrade to amnesia 0.4.1, that ships with Claws Mail instead of Icedove,and set the following preferences in ~/.claws-mail/accountrc forevery account:

See #6119 for details.

Best is to avoid using Icedove (Thunderbird) in amnesia untilfixed images are released. If not possible:

  • Use amnesia behind a NAT-ed Internet connection, inside a LAN thatuses widespread IP addresses.
  • Use a trustworthy, privacy-friendly SMTP relay that does not writedown the client's IP address anywhere, especially in email headers.

Note that using GnuPG does not fix this problem at all: GnuPG onlyencrypts the email body, the email headers being always keptin clear.

Iced Over Car

Icedove

Icedove

Any amnesia release until, and including, 0.3.amnesia 0.4 is not affected.