[Dovecot] Avelsieve 1.9.7 and Dovecot/TLS

Michael Firnau mfi at tf.uni-kiel.de
Wed Apr 30 12:05:47 EEST 2008 

Hi,

i'm installing a new mail server for our faculty and want to use
the squirrelmail plugin 'avelsieve' (1.9.7). As documented on the
dovecot wiki there is a problem in the STARTTLS code and i
found a solution (that works for my installation):

i've traced the server output in 'get_response' and instead of
a script list i saw "IMPLEMENTATION". So i took a look at
the file 'managesieve.lib.php' and the STARTTLS code:

    /* If we allow STARTTLS, use it */
    if($this->capabilities['starttls'] === true && function_exists('stream_socket_enable_crypto') === true) {
        fputs($this->fp,"STARTTLS\r\n");
        $starttls_response = $this->line=fgets($this->fp,1024);
        if(stream_socket_enable_crypto($this->fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT) == false) {
            $this->error=EC_UNKNOWN;
            $this->error_raw = "Failed to establish TLS connection.";
            return false;
        } else {
            $this->loggedin = true;
            
            // RFC says that we need to ask for the capabilities again
            $this->sieve_get_capability();
            $this->loggedin = false;
        }   
    }
     
With my limited time and debugging possibilities i've found that the
dovecot managesieve server seems to send capability lines 'automagically'.
I've added a few "debugging" lines

    /* If we allow STARTTLS, use it */
    if($this->capabilities['starttls'] === true && function_exists('stream_socket_enable_crypto') === true) {
        fputs($this->fp,"STARTTLS\r\n");
        $starttls_response = $this->line=fgets($this->fp,1024);
        if(stream_socket_enable_crypto($this->fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT) == false) {
            $this->error=EC_UNKNOWN;
            $this->error_raw = "Failed to establish TLS connection.";
            return false;
        } else {
            $this->loggedin = true;
            
$starttls_response = $this->line=fgets($this->fp,1024);
$errormsg .= _("MFI fgets ") . $starttls_response . '<br>';
print_errormsg($errormsg);

            // RFC says that we need to ask for the capabilities again
            $this->sieve_get_capability();
            $this->loggedin = false;
        }   
    }

and could read

        MFI fgets "IMPLEMENTATION" "dovecot"

what will throw the following 'sieve_get_capability' out of sync.
Then i've added a second 'fgets' and received:

        MFI fgets "SASL" "PLAIN"

Then i've added a third 'fgets' and received:

        MFI fgets "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"

Then i've added a fourth 'fgets' and received:

        MFI fgets OK "TLS negotiation successful."

Now the protocol should be in sync again and after removing the lines

        $errormsg .= _("MFI 1 fgets ") . $starttls_response . '<br>';
        print_errormsg($errormsg);

i could load my scripts back. So, adding four lines reading

        $starttls_response = $this->line=fgets($this->fp,1024);
        $starttls_response = $this->line=fgets($this->fp,1024);
        $starttls_response = $this->line=fgets($this->fp,1024);
        $starttls_response = $this->line=fgets($this->fp,1024);

solved the problem. I know this is not a sound "fix", but i hope to
help you with this. 

One addendum: a "debugging" using my errormsg-printout of the output from

    /* If we allow STARTTLS, use it */
    if($this->capabilities['starttls'] === true && function_exists('stream_socket_enable_crypto') === true) {
        fputs($this->fp,"STARTTLS\r\n");
        $starttls_response = $this->line=fgets($this->fp,1024);
        
resulted in the response:

        MFI fgets OK "Begin TLS negotiation now."

what looks proper to me, but the negotiation makes the server send the four lines mentioned above.


Cheers

More information about the dovecot mailing list