I did an upgrade from courier 3.0.2 to 3.0.5 and found my non secure IMAP mail client unable to sign in. Doing a telnet localhost 143 revealed this: * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=PLAIN IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED XMAGICTRASH] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. Note the STARTTLS. That option is not enabled in /etc/courier-imap/imapd but it is in /etc/courier-imap/imapd-ssl. My make.conf has the following USE line: USE="ssl -ipv6 ldap -mysql -X -kde -gnome imap maildir -gtk sasl -qt libwww -mbox cups foomaticdb ppds" I believe the problem lies in the file /usr/lib/courier-imap/gentoo-imapd.rc Commenting out lines 22 and 23 resolved my problem. Reproducible: Always Steps to Reproduce: 1. Uncomment lines 22 and 23 in /usr/lib/courier-imap/gentoo-imapd.rc 2. Restart courier imap Actual Results: normal imap server now demands STARTTLS Expected Results: seperate TLS settings between imap and imap-ssl Portage 2.0.50-r9 (default-x86-1.4, gcc-3.3.3, glibc-2.3.3.20040420-r1, 2.6.7-gentoo-r6) ================================================================= System uname: 2.6.7-gentoo-r6 i686 Pentium III (Coppermine) Gentoo Base System version 1.4.16 distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -funroll-loops -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /opt/jetty/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control /var/www/localhost/htdocs/squirrelmail/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -funroll-loops -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo rsync://csociety-ftp.ecn.purdue.edu/pub/gentoo/ http://mirror.tucdemonic.org/gentoo/ ftp://ftp.ussg.iu.edu/pub/linux/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apm arts avi berkdb crypt cups encode foomaticdb gdbm gif gpm gtk2 imap imlib java jpeg ldap libg++ libwww mad maildir mikmod motif mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png ppds python quicktime readline sasl sdl slang spell ssl svga tcpd truetype x86 xml2 xmms xv zlib"
STARTTLS != SSL STARTTLS is SSL support over the normal 143 port. The TLS is initated from inside the connection. With SSL on port 993, it's initiated outside of the IMAP conversation. Go and look at /etc/courier-imap/imapd and see the IMAP_CAPABILITY* settings. I can login to 3.0.7 quite fine on the normal IMAP port both with and without STARTTLS-capable clients.
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTN=PLAIN IDLE" telnet localhost 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTN=PLAIN IDLE ACL ACL2=UNION XMAGICTRASH] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. If I uncomment lines 22 and 23 in /usr/lib/courier-imap/gentoo-imapd.rc, the telnet now shows * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTN=PLAIN IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED XMAGICTRASH] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. At that point Squirrelmail cannot log in without enabling TLS. Something I don't wish to do, as it breaks the imapproxy I use to speed up the web mail for users. Oddly, something during this upgrade broke the serversidefilters plugin of Squirrelmail too. It uses IMAP authentication to verify the user before using a su to that user to change files in their home directory. Something has changed how Courier wants to do logins without me changing anything.
please attach your '/etc/courier-imap/authdaemond.conf' and '/etc/pam.d/imap' your problem is "LOGINDISABLED" capability in the greeting. $ telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE STARTTLS ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. a login mailuser password a OK LOGIN Ok. a logout * BYE Courier-IMAP server shutting down a OK LOGOUT completed Connection closed by foreign host.
I get a very different result (using 3.0.7) I have the gentoo-imapd.rc totally stock (eg lines 22,23 uncommented) and I get: telnet localhost 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information The only time I can produce the LOGINDISABLED is if I set IMAP_TLS_REQUIRED=1 in /etc/courier-imap/imapd-ssl attach your /etc/courier-imap/imap* as well.
Created attachment 38040 [details] /etc/pam.d/imap
Created attachment 38041 [details] /etc/courier-imap/authdaemond.conf
Created attachment 38042 [details] /etc/courier-imap/imapd
Created attachment 38043 [details] /etc/courier-imap/imapd-ssl
Files attached. I do have IMAP_TLS_REQUIRED=1 in the imapd-ssl, because I want that enabled there. I however do not want it enabled on my imapd process. I run imapd-ssl on port 993 (standard) with accessability to all I also run imapd on port 994, limited to localhost, for an imapproxy running on localhost to connect to. I do not want any secure process on 994, TLS or SSL. The problem seems to be the new rc file added that combines variables from both imapd and imapd-ssl instead of treating them seperate.
therein lies your problem. the IMAP_TLS_REQUIRED=1 setting ONLY affects imapd and NOT imapd-ssl. set it to 0 and you'll be fine.
Why is IMAP_TLS_REQUIRED=1 in the imapd-ssl file then? It was there before the upgrade, and never caused such a problem. Only the update to 3.0.5 caused issues.
one of the gentoo bugs fixed in the 3.0.5 (actually slightly before) was that TLS wasn't being enabled for the plain imapd, due to a glitch in our gentoo-imapd.rc script. The option is present in the imapd-ssl file because it makes logical sense to put it there. imapd contains all the base imap options, and imapd-ssl contains all options for SSL/TLS. the fact that the configuration files happen to have the same name as two of the binaries is just co-incidental.
Ahh, ok. To resolve this, I'd recommend putting in a note explaining that the TLS option only affects imapd. Still tracking down why my serversidefilter plugin for Squirrelmail broke in the upgrade. Since thats not in Gentoo, I'm checking the squirrelmail plugin list for help on it. Seems to fail on plain authentication now for some bizare reason.
if you want that, submit a docs patch. I think it's fairly obvious as if you connect to the imap-ssl port, SSL(TLS) is in effect already.
