[Dovecot] problems with squirrelmail and TLS (debian unstable)
Quentin Garnier
cube at cubidou.net
Sat Apr 24 07:56:42 EEST 2004
Le Fri, 23 Apr 2004 19:07:13 -0400
Amelia A Lewis a ecrit :
[...]
> Dovecot cannot, currently, be configured to permit plaintext on
> localhost while requiring Something Better from the rest of the world.
> This becomes a problem with SquirrelMail, which can't cope with TLS. It
> just barfs. Looking at bug reports in debian, this has already been
> noticed, and the maintainer there (and the maintainers of SquirrelMail)
> considers this a non-problem, 'cause, they say, you shouldn't be using
> TLS with webmail.
>
> Is there a way to set up, for instance, two instances of dovecot,
> running on different ports, so that one listens to the external
> interface and the other listens to localhost? I don't much like the
> idea, but how would I go about doing this? Two copies of dovecot.conf
> and a command-line switch?
SquirrelMail works perfectly fine with Dovecot and TLS. I use it in
production for the company I work in.
However, it is true that I had to debug a very big issue with PHP and the
way it is compiled. I'm using NetBSD and pkgsrc, but I guess it might be
the same with the Debian packages.
If PHP has not OpenSSL compiled in, it will not be able to initiate TLS
connections. The openssl PHP module only contains crypto functions, and
won't bring in support for TLS. You have to compile it in the php binary
and/or the Apache PHP module.
Thus I committed (no later than a few days ago) a change to our php
packages to allow support for OpenSSL compiled in, and that works.
What make the issue really bad is the way PHP handles this: creating the
socket won't fail. If OpenSSL support is not compiled in, the TLS option
SquirrelMail passes along while creating the socket is ignored. Thus
SquirrelMail gets a "normal" socket, and you can see it in Ethereal and
the like: SquirrelMail send in clear text 'AUTH ...' while Dovecot of
course expects some TLS data, and then it gets stuck for a while.
Hope that helps. And you can even use pkgsrc on your Linux distribution
to get the full suite, it's already Dovecot/SquirrelMail/TLS-ready :)
[http://www.pkgsrc.org]
--
Quentin Garnier - cube at cubidou.net - cube at NetBSD.org
"Feels like I'm fiddling while Rome is burning down.
Should I lay my fiddle down and take a rifle from the ground ?"
Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 478 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040424/725b8348/attachment-0001.bin>
More information about the dovecot
mailing list