Alan:
> Hi everybody,
>
> During Tails release process we test various aspects the candidate ISO:
> https://tails.boum.org/contribute/release_process/test/
>
> For claws mail, one of these tests is:
>
> * Check that the profile works and is torified (specifically the
> EHLO/HELO SMTP messages it sends):
>
> 1. Send an email using Claws and a non-anonymizing SMTP relay.
> 2. Then check that email's headers once received, especially the
> Received: and Message-ID: ones.
>
> But the next one is:
>
> * Also check that the EHLO/HELO SMTP message is not leaking anything
> with a packet sniffer:
> 1. start Claws using the panel icon.
> 1. Disable SSL/TLS for SMTP in Claws (so take precautions for not
> leaking your password in plaintext by either changing it
> temporarily or using a disposable account).
> 2. Run `sudo tcpdump -n -i lo -w dump` to capture the packets
> before Tor encrypts it, then close tcpdump, and check the dump
> for the HELO/EHLO message and verify that it only contains
> `localhost`.
>
> I don't see what the first of these tests would check that is not also
> checked by the second. In addition, it's not easy to access a
> "non-anonymizing SMTP relay" through Tor.
>
> I suggest we remove the 1st of these tests. What do you think?
I agree with your proposal. Furthermore, "non-anonymizing SMTP relay" is
badly defined.
--
sajolida
