[Dovecot] problems with squirrelmail and TLS (debian unstable)

Quentin Garnier cube at NetBSD.org
Sat Apr 24 18:24:50 EEST 2004


Le Sat, 24 Apr 2004 10:48:44 -0400
Amelia A Lewis a ecrit :
> I should follow up, having complained in public ...

My reply didn't make it to the list because I was using the wrong From
address.

> On Sat, 24 Apr 2004 06:56:42 +0200
> Quentin Garnier <cube at cubidou.net> wrote:
> > Le Fri, 23 Apr 2004 19:07:13 -0400
> > Amelia A Lewis a ecrit :
> > [...]
> > > Dovecot cannot, currently, be configured to permit plaintext on
> > > localhost while requiring Something Better from the rest of the
> > > world.
> > > 
> > > This becomes a problem with SquirrelMail, which can't cope with TLS.
> > > 
> > > It just barfs.  Looking at bug reports in debian, this has already
> > 
> > SquirrelMail works perfectly fine with Dovecot and TLS.  I use it in
> > production for the company I work in.
> > 
> > However, it is true that I had to debug a very big issue with PHP and
> > the way it is compiled.  I'm using NetBSD and pkgsrc, but I guess it
> > might be the same with the Debian packages.
> 
> [snip]
> 
> It's interesting that there are different issues.
> 
> My debian installation had a bug in functions/imap_general.php that
> discarded the server name if tls was used (the server name became
> "tls://", only, instead of prepending that to the server name).  Once I
> fixed that (now reported to debian maintainer, so should show fixed soon
> there), I still had problems, because I assumed that squirrelmail could
> do STARTTLS.  It doesn't, apparently (I could be wrong again, though). 

Yes, it doesn't.  SquirrelMail doesn't really care about TLS, it merely
passes a parameter to the PHP socket API telling it wants TLS for that
connection.  Turning on TLS in the middle of a TCP connection requires
more integration between the application layer and OpenSSL.

> So, all serene.  *laugh*  On the other hand, I *would* still like to be
> able to run without TLS on localhost (a localhost exception to
> disable_plaintext_auth), because it's fairly pointless to require the
> processor to do all the extra work of encryption and decryption in that
> situation.  Feature request, please, Timo?

Yeah, some generalized ACLs would be good.

-- 
Quentin Garnier - cube at NetBSD.org
The NetBSD Project - http://www.NetBSD.org/



More information about the dovecot mailing list