Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 201252 - net-mail/cyrus-imapd-2.2.x utilities fail under circumstances because of lacking TLS support
Summary: net-mail/cyrus-imapd-2.2.x utilities fail under circumstances because of lack...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Tobias Scherbaum (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-04 18:21 UTC by Rumi Szabolcs
Modified: 2008-02-03 00:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rumi Szabolcs 2007-12-04 18:21:42 UTC 
cyradm and sieveshell fail to connect when TLS is enforced by the
imapd or timsieved, respectively.

Reproducible: Always

Actual Results:  
I've got a cyrus-imapd-2.2.x installation which used sasldb authentication
with CRAM-MD5/DIGEST-MD5 mechanisms until recently but now I have switched
the site to pam_ldap authentication (saslauthd -a pam for cyrus). Because
pam only supports the LOGIN and PLAIN mechanisms I had to enforce TLS usage
to keep the passwords traveling securely. Since then neither cyradm nor
sieveshell is able to connect to the server.

cyradm returns a (more or less) meaningful error message: 
# cyradm --user cyrus --auth login localhost
IMAP Password: 
Login only available under a layer at /usr/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi/Cyrus/IMAP/Admin.pm line 119
cyradm: cannot authenticate to server with login as cyrus

sieveshell only reports:
unable to connect to server at /usr/bin/sieveshell line 169.

while in the syslog only this can be seen:
Dec  4 19:01:49 rocks master[9147]: about to exec /usr/lib/cyrus/timsieved
Dec  4 19:01:49 rocks sieve[9147]: executed
Dec  4 19:01:49 rocks sieve[9147]: accepted connection
Dec  4 19:01:49 rocks master[19900]: process 9147 exited, status 0




What I could find out so far is that the problem is also known upstream:

https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2036
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2060

Apparently cyradm TLS support has been committed to 2.3 (I didn't verify that).
Sieveshell TLS support still seems to be lacking although a preliminary patch
has been attached to the upstream bug report above.

It would be great if somebody with a clue could backport the cyradm TLS patch
to the 2.2.x branch (or mark 2.3 as stable?) and also review the sieveshell
patch above and add it to the ebuild until upstream realizes that this is
important...
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-09 17:23:45 UTC 
cyrus-2.3 will be marked stable within the next month or so, for sieveshell TLS support it might be worth to discuss this on the cyrus-devel mailinglist. The patch added to the upstream bugreport doesn't apply to a current cyrus-source (nothing unexpected as the attached patch is already more than 4 years old ...).

Closing this as UPSTREAM.
Comment 2 Rumi Szabolcs 2008-02-03 00:40:44 UTC 
cyrus-imapd-2.3.x has really brought TLS support for cyradm.

But for sieveshell, lack of support remained. As it can be
seen in the cyrus bugzilla entry, sieveshell TLS support
has been missing since 2003 and nobody seemed to care
although 5 years have passed...

But a guy apparently took the time and wrote a sieveshell
equivalent (from scratch as it seems) which even looks more
solid at first glance than the original sieveshell and also
has TLS support built in, it's called sieve-connect:

http://people.spodhuis.org/phil.pennock/software/

This thing wasn't trivial to find...
I'd suggest somebody should maybe create an ebuild from it and make
net-mail/cyrus-imap-admin depend on that when USE="ssl" or maybe
at the very least it could be mentioned by einfo when cyrus-imap-admin
gets installed that sieveshell is not going to support TLS but there
is a replacement.