Summary: | Gentoo Courier 3.0.5 sets TLS options on both imapdssl and imapd | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Tom <d_gentoo> |
Component: | [OLD] Server | Assignee: | Net-Mail Packages <net-mail+disabled> |
Status: | RESOLVED INVALID | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
/etc/pam.d/imap
/etc/courier-imap/authdaemond.conf /etc/courier-imap/imapd /etc/courier-imap/imapd-ssl |
Description
Tom
2004-08-22 18:48:47 UTC
STARTTLS != SSL STARTTLS is SSL support over the normal 143 port. The TLS is initated from inside the connection. With SSL on port 993, it's initiated outside of the IMAP conversation. Go and look at /etc/courier-imap/imapd and see the IMAP_CAPABILITY* settings. I can login to 3.0.7 quite fine on the normal IMAP port both with and without STARTTLS-capable clients. IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTN=PLAIN IDLE" telnet localhost 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTN=PLAIN IDLE ACL ACL2=UNION XMAGICTRASH] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. If I uncomment lines 22 and 23 in /usr/lib/courier-imap/gentoo-imapd.rc, the telnet now shows * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTN=PLAIN IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED XMAGICTRASH] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. At that point Squirrelmail cannot log in without enabling TLS. Something I don't wish to do, as it breaks the imapproxy I use to speed up the web mail for users. Oddly, something during this upgrade broke the serversidefilters plugin of Squirrelmail too. It uses IMAP authentication to verify the user before using a su to that user to change files in their home directory. Something has changed how Courier wants to do logins without me changing anything. please attach your '/etc/courier-imap/authdaemond.conf' and '/etc/pam.d/imap' your problem is "LOGINDISABLED" capability in the greeting. $ telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE STARTTLS ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. a login mailuser password a OK LOGIN Ok. a logout * BYE Courier-IMAP server shutting down a OK LOGOUT completed Connection closed by foreign host. I get a very different result (using 3.0.7) I have the gentoo-imapd.rc totally stock (eg lines 22,23 uncommented) and I get: telnet localhost 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information The only time I can produce the LOGINDISABLED is if I set IMAP_TLS_REQUIRED=1 in /etc/courier-imap/imapd-ssl attach your /etc/courier-imap/imap* as well. Created attachment 38040 [details]
/etc/pam.d/imap
Created attachment 38041 [details]
/etc/courier-imap/authdaemond.conf
Created attachment 38042 [details]
/etc/courier-imap/imapd
Created attachment 38043 [details]
/etc/courier-imap/imapd-ssl
Files attached. I do have IMAP_TLS_REQUIRED=1 in the imapd-ssl, because I want that enabled there. I however do not want it enabled on my imapd process. I run imapd-ssl on port 993 (standard) with accessability to all I also run imapd on port 994, limited to localhost, for an imapproxy running on localhost to connect to. I do not want any secure process on 994, TLS or SSL. The problem seems to be the new rc file added that combines variables from both imapd and imapd-ssl instead of treating them seperate. therein lies your problem. the IMAP_TLS_REQUIRED=1 setting ONLY affects imapd and NOT imapd-ssl. set it to 0 and you'll be fine. Why is IMAP_TLS_REQUIRED=1 in the imapd-ssl file then? It was there before the upgrade, and never caused such a problem. Only the update to 3.0.5 caused issues. one of the gentoo bugs fixed in the 3.0.5 (actually slightly before) was that TLS wasn't being enabled for the plain imapd, due to a glitch in our gentoo-imapd.rc script. The option is present in the imapd-ssl file because it makes logical sense to put it there. imapd contains all the base imap options, and imapd-ssl contains all options for SSL/TLS. the fact that the configuration files happen to have the same name as two of the binaries is just co-incidental. Ahh, ok. To resolve this, I'd recommend putting in a note explaining that the TLS option only affects imapd. Still tracking down why my serversidefilter plugin for Squirrelmail broke in the upgrade. Since thats not in Gentoo, I'm checking the squirrelmail plugin list for help on it. Seems to fail on plain authentication now for some bizare reason. if you want that, submit a docs patch. I think it's fairly obvious as if you connect to the imap-ssl port, SSL(TLS) is in effect already. |