Comment 1 for bug 1401064

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I wouldn't be surprised if upstream decides this isn't a security flaw: they need access to the plaintext password to do their task. If it were encrypted, it would need to be encrypted with a passphrase that would require prompting the user. At that point you may as well just prompt the user for their mail server passwords directly. They could also use the keychain but I believe those are also available unencrypted for all processes to use when they are unlocked, so the keychain may actually be less secure than just putting the passwords into a mode 0600 file.

If the permissions on the file and all containing directories are too permissive, that might be a reasonable security issue, and one that's easy enough to address.

Thanks