[Dovecot] problems with squirrelmail and TLS (debian unstable)
Heylas,
So, okay, I've had this lovely IMAP server running, and adore the ease of configuration, among other things. Problem, though.
I'm trying to set up SquirrelMail, so that some folks with accounts on my box can use it without having to set up a proper imap client (or can check mail when they're at a cafe, or like that). However, I *won't* turn off the disable_plaintext_auth, 'cause I'm damned if I'll set up a box that asks people to send passwords in the clear, and there *are* people using imap.
Dovecot cannot, currently, be configured to permit plaintext on localhost while requiring Something Better from the rest of the world. This becomes a problem with SquirrelMail, which can't cope with TLS. It just barfs. Looking at bug reports in debian, this has already been noticed, and the maintainer there (and the maintainers of SquirrelMail) considers this a non-problem, 'cause, they say, you shouldn't be using TLS with webmail.
Is there a way to set up, for instance, two instances of dovecot, running on different ports, so that one listens to the external interface and the other listens to localhost? I don't much like the idea, but how would I go about doing this? Two copies of dovecot.conf and a command-line switch?
Amy!
Amelia A. Lewis amyzing {at} talsever.com Yankees are compelled by some mysterious force to imitate Southern accents and they're so damn dumb they don't know the difference beween a Tennessee drawl and a Charleston clip. -- Rita Mae Brown, "Rubyfruit Jungle"
Le Fri, 23 Apr 2004 19:07:13 -0400 Amelia A Lewis a ecrit : [...]
Dovecot cannot, currently, be configured to permit plaintext on localhost while requiring Something Better from the rest of the world. This becomes a problem with SquirrelMail, which can't cope with TLS. It just barfs. Looking at bug reports in debian, this has already been noticed, and the maintainer there (and the maintainers of SquirrelMail) considers this a non-problem, 'cause, they say, you shouldn't be using TLS with webmail.
Is there a way to set up, for instance, two instances of dovecot, running on different ports, so that one listens to the external interface and the other listens to localhost? I don't much like the idea, but how would I go about doing this? Two copies of dovecot.conf and a command-line switch?
SquirrelMail works perfectly fine with Dovecot and TLS. I use it in production for the company I work in.
However, it is true that I had to debug a very big issue with PHP and the way it is compiled. I'm using NetBSD and pkgsrc, but I guess it might be the same with the Debian packages.
If PHP has not OpenSSL compiled in, it will not be able to initiate TLS connections. The openssl PHP module only contains crypto functions, and won't bring in support for TLS. You have to compile it in the php binary and/or the Apache PHP module.
Thus I committed (no later than a few days ago) a change to our php packages to allow support for OpenSSL compiled in, and that works.
What make the issue really bad is the way PHP handles this: creating the socket won't fail. If OpenSSL support is not compiled in, the TLS option SquirrelMail passes along while creating the socket is ignored. Thus SquirrelMail gets a "normal" socket, and you can see it in Ethereal and the like: SquirrelMail send in clear text 'AUTH ...' while Dovecot of course expects some TLS data, and then it gets stuck for a while.
Hope that helps. And you can even use pkgsrc on your Linux distribution to get the full suite, it's already Dovecot/SquirrelMail/TLS-ready :) [http://www.pkgsrc.org]
-- Quentin Garnier - cube@cubidou.net - cube@NetBSD.org "Feels like I'm fiddling while Rome is burning down. Should I lay my fiddle down and take a rifle from the ground ?" Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.
I should follow up, having complained in public ...
On Sat, 24 Apr 2004 06:56:42 +0200 Quentin Garnier cube@cubidou.net wrote:
Le Fri, 23 Apr 2004 19:07:13 -0400 Amelia A Lewis a ecrit : [...]
Dovecot cannot, currently, be configured to permit plaintext on localhost while requiring Something Better from the rest of the world.
This becomes a problem with SquirrelMail, which can't cope with TLS. It just barfs. Looking at bug reports in debian, this has already
SquirrelMail works perfectly fine with Dovecot and TLS. I use it in production for the company I work in.
However, it is true that I had to debug a very big issue with PHP and the way it is compiled. I'm using NetBSD and pkgsrc, but I guess it might be the same with the Debian packages.
[snip]
It's interesting that there are different issues.
My debian installation had a bug in functions/imap_general.php that discarded the server name if tls was used (the server name became "tls://", only, instead of prepending that to the server name). Once I fixed that (now reported to debian maintainer, so should show fixed soon there), I still had problems, because I assumed that squirrelmail could do STARTTLS. It doesn't, apparently (I could be wrong again, though). Switching it to port 993 in config made everything lovely. Debian's php (libapache2-mod-php4, in my case, a recent addition to packages that actually permits php4 with apache2) appears to be compiled with the proper support.
So, all serene. *laugh* On the other hand, I *would* still like to be able to run without TLS on localhost (a localhost exception to disable_plaintext_auth), because it's fairly pointless to require the processor to do all the extra work of encryption and decryption in that situation. Feature request, please, Timo?
Amy!
Amelia A. Lewis amyzing {at} talsever.com The flesh is strong. The spirit stronger. So shed your skin, baby. Let it through. Come on over. -- Amy Ray
Le Sat, 24 Apr 2004 10:48:44 -0400 Amelia A Lewis a ecrit :
I should follow up, having complained in public ...
My reply didn't make it to the list because I was using the wrong From address.
On Sat, 24 Apr 2004 06:56:42 +0200 Quentin Garnier cube@cubidou.net wrote:
Le Fri, 23 Apr 2004 19:07:13 -0400 Amelia A Lewis a ecrit : [...]
Dovecot cannot, currently, be configured to permit plaintext on localhost while requiring Something Better from the rest of the world.
This becomes a problem with SquirrelMail, which can't cope with TLS.
It just barfs. Looking at bug reports in debian, this has already
SquirrelMail works perfectly fine with Dovecot and TLS. I use it in production for the company I work in.
However, it is true that I had to debug a very big issue with PHP and the way it is compiled. I'm using NetBSD and pkgsrc, but I guess it might be the same with the Debian packages.
[snip]
It's interesting that there are different issues.
My debian installation had a bug in functions/imap_general.php that discarded the server name if tls was used (the server name became "tls://", only, instead of prepending that to the server name). Once I fixed that (now reported to debian maintainer, so should show fixed soon there), I still had problems, because I assumed that squirrelmail could do STARTTLS. It doesn't, apparently (I could be wrong again, though).
Yes, it doesn't. SquirrelMail doesn't really care about TLS, it merely passes a parameter to the PHP socket API telling it wants TLS for that connection. Turning on TLS in the middle of a TCP connection requires more integration between the application layer and OpenSSL.
So, all serene. *laugh* On the other hand, I *would* still like to be able to run without TLS on localhost (a localhost exception to disable_plaintext_auth), because it's fairly pointless to require the processor to do all the extra work of encryption and decryption in that situation. Feature request, please, Timo?
Yeah, some generalized ACLs would be good.
-- Quentin Garnier - cube@NetBSD.org The NetBSD Project - http://www.NetBSD.org/
On Sat, 2004-04-24 at 17:48, Amelia A Lewis wrote:
So, all serene. *laugh* On the other hand, I *would* still like to be able to run without TLS on localhost (a localhost exception to disable_plaintext_auth), because it's fairly pointless to require the processor to do all the extra work of encryption and decryption in that situation. Feature request, please, Timo?
It's actually been implemented in CVS for quite some time.. If IP begins with 127, it's treated as secure.
participants (4)
-
Amelia A Lewis
-
Quentin Garnier
-
Quentin Garnier
-
Timo Sirainen