2

I'm trying to poll a gmail account in C# code. I am using the Mailkit libraries (https://github.com/jstedfast/MailKit). I can connect successfully when I tell the client to use SSL:

using (var client = new ImapClient ()) 
{
    client.Connect ("imap.friends.com", 993, true);
    client.Authenticate ("joey", "password");
    client.Disconnect (true);
}

But it's my understanding (possibly wrong) that SSL is insecure and we shouldn't be using it. So I'm trying to force a TLS connection:

using (var client = new ImapClient ()) 
{
    client.Connect ("imap.friends.com", 993, SecureSocketOptions.StartTls);
    client.Authenticate ("joey", "password");
    client.Disconnect (true);
}

But this errors on the client.connect line:

Message: The IMAP Server has unexpectedly disconnected
Stack Trace: 
   at MailKit.Net.Imap.ImapStream.<ReadAheadAsync>d__54.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at MailKit.Net.Imap.ImapStream.<ReadTokenAsync>d__69.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at MailKit.Net.Imap.ImapEngine.<ConnectAsync>d__140.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at MailKit.Net.Imap.ImapClient.<ConnectAsync>d__81.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at MailKit.Net.Imap.ImapClient.Connect(String host, Int32 port, SecureSocketOptions options, CancellationToken cancellationToken)

I'm running with the protocol logger, but that's not telling me much, it holds only 1 line:

Connected to imap://imap.gmail.com:993/?starttls=always

So I guess my questions are:

1) Should I be worried about using insecure SSL 3.0 to access gmail? I find it hard to believe that they are forcing me to use a deprecated security protocol.

2) If so, how can I force a TLS connection, so I can keep SSL3.0 turned off for clients on my application server?

piet.t
  • 11,718
  • 21
  • 43
  • 52
Chris Thwaites
  • 21
  • 1
  • 4
  • TLS on Imap is not required. On SMTP, it can be useful to issue a STARTTLS command before transferring data, to ensure that no coms are passed in plain text. Read something about it here: [Google Developers](https://developers.google.com/gmail/imap/imap-smtp). – Jimi Oct 04 '18 at 09:27

1 Answers1

3

MailKit has 2 different ways of doing SSL/TLS:

  1. Use SSL/TLS immediately upon connecting to the remote server
  2. Use the STARTTLS command to toggle into SSL/TLS mode after connecting and reading the greeting to check if the server supports it

You are trying to use the second mode but you are connecting to a port (993) which requires the first mode.

Which version of SSL vs TLS gets used with either of these modes is entirely dependent upon what the server supports (actually, technically, MailKit doesn't support any version of SSL by default, it only supports TLSv1.0, TLSv1.1, and TLSv1.2 - I removed SSLv3 by default a few years ago).

The way that you can change the supported SSL and/or TLS versions that you'd like to limit MailKit to can be done by setting the client.SslProtocols property.

jstedfast
  • 35,744
  • 5
  • 97
  • 110