Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 39653

Summary: STARTTLS can't be enabled in imapd using courier-imap
Product: Gentoo Linux Reporter: Chris Eaton <tridus>
Component: [OLD] ServerAssignee: Net-Mail Packages <net-mail+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: aeonflux, timmy
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Chris Eaton 2004-01-28 04:27:01 UTC 
Using courier-imap-2.1.2-r1, there are settings in the imapd-ssl configuration file to enable the STARTTLS extension to the normal IMAP protocol. These settings don't work, and I can't get STARTTLS to enable. (the TLS_REQUIRED setting doesn't work either, users can still login in the clear)

The older style imapd-ssl on port 993 does work, as does STARTTLS in the pop3d server from the same package.

Reproducible: Always
Steps to Reproduce:
1. Install courier-imap using the method in the Virtual Mailhost guide. (this includes creating a certificate) (http://www.gentoo.org/doc/en/virt-mail-howto.xml)
2. Change imapd-ssl to enable STARTTLS

Actual Results:  
Nothing.

Expected Results:  
STARTTLS should appear in the list of valid commands to the server, and should 
actually work.

Another Gentoo user reports that it does work properly using the older 1.7 
ebuild of courier-imap. Several other people in the Networking and Security 
forums have reported the same problem with 2.1.2, there doesn't seem to be any 
solution except attempting to downgrade to 1.7.

emerge info:
Portage 2.0.49-r21 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r9, 2.4.
20-gentoo-r9)
=================================================================
System uname: 2.4.20-gentoo-r9 i686 Pentium III (Katmai)
Gentoo Base System version 1.4.3.10p1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=pentium3 -O3 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config 
/usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-march=pentium3 -O3 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://gentoo.noved.org/ http://mirrors.tds.net/gentoo ftp:
//gentoo.noved.org/ ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X apache2 apm arts avi berkdb crypt encode foomaticdb gdbm gif gnome gpm 
gtk gtk2 imap imlib java jpeg kde libg++ libwww mad maildir mikmod motif mpeg 
mysql ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime 
readline sasl sdl slang spell ssl svga tcltk tcpd truetype x86 xml xml2 xmms xv 
zlib"
Comment 1 aeonflux 2004-01-29 07:12:22 UTC 
This is because in order for STARTTLS to work on the imap protocol, the binary couriertls needs to be run, rather then couiertcpd.  However the port only choices to install the couriertcpd binary, rather then both.  Worse the files/gentoo-imapd.rc script is hardcoded to use couriertcpd regardless of whether or not starttls has been set.
Comment 2 Steve 2004-01-29 07:26:19 UTC 
this is the same bug as described in bug # 39762

bug # 39762 describes the problem a little more accuratly
Comment 3 SpanKY gentoo-dev 2004-01-29 15:23:33 UTC 
*** Bug 39762 has been marked as a duplicate of this bug. ***
Comment 4 Tim Dodge 2004-03-10 03:41:40 UTC 
I've been banging my head against this for a while as well, but I've finally got it working.

There's a bug in gentoo-imapd.rc:

--- gentoo-imapd.rc.org Wed Mar 10 11:32:38 2004
+++ gentoo-imapd.rc     Wed Mar 10 11:36:09 2004
@@ -19,7 +19,8 @@
 done

 ulimit -d $IMAP_ULIMITD
-export IMAPDSTARTTLS
+IMAP_STARTTLS=$IMAPDSTARTTLS
+export IMAP_STARTTLS
 TLS_PROTOCOL=$TLS_STARTTLS_PROTOCOL
 eval `sed -n '/^#/d;/=/p' </etc/courier-imap/imapd | \
        sed 's/=.*//;s/^/export /;s/$/;/'`

With this change, STARTTLS is enabled on the unencrypted port.

Tim
Comment 5 Chris Eaton 2004-03-18 11:43:04 UTC 
That worked for me, thanks!

I don't suppose we could get an update to the package with this change?
Comment 6 Tim Dodge 2004-03-18 12:33:07 UTC 
In fact a new version of courier-imap would be nice.

According to http://sourceforge.net/project/showfiles.php?group_id=5404
there have been 5 releases since v2.1.2.
Comment 7 Tim Dodge 2004-04-11 13:34:39 UTC 
Thank you for the new version of courier-imap (courier-imap-3.0.2), the update is appreciated.

However, the bug in gentoo-imapd.rc is still present, and without it STARTTLS support is BROKEN. Can you please include the patch in the ebuild?
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-06-26 16:19:43 UTC 
fixed in cvs for 3.0.5