CVE-2021-38373: 
NixOS vulnerability analysis and mitigation

In KDE KMail 19.12.3 (aka 5.13.3), a security vulnerability was identified where the SMTP STARTTLS option is not honored, and cleartext messages are sent unless the 'Server requires authentication' option is checked in the user interface (KDE Bug, NVD). This vulnerability was assigned CVE-2021-38373 and was discovered in June 2020.

The vulnerability stems from a design flaw in the STARTTLS implementation where the encryption upgrade mechanism is bypassed when authentication is not required. The issue has a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information) (NVD).

When exploited, this vulnerability results in email messages being transmitted in cleartext, potentially exposing sensitive information to network observers. This creates a significant privacy risk as emails intended to be encrypted are sent without any encryption protection (NoStartTLS).

The issue was addressed in later versions of KMail. Users should either ensure the 'Server requires authentication' option is enabled or upgrade to a patched version. As a general recommendation, users should configure their email clients to use implicit TLS on dedicated ports (SMTP/Submission on port 465) rather than relying on STARTTLS (NoStartTLS).