[Dovecot] Problems with AUTH=PLAIN in pop3

Maykel Moya moya at infomed.sld.cu
Sat Jan 5 08:39:21 EET 2008


I'm using Dovecot (1.0.10) locally to test SugarCRM. When I tried to set
up a mail account in Sugar, it complains with 

--
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
Please check your settings and try again.
--

don't know if that behaviour is a bug or a feature of php-imap. The case
is that I'm unable to set up the mail account in Sugar.

Timo answered to me on IRC about Dovecot assuming that a connection from
the same ip is considered secured.

I'd rebuild Dovecot with the following patch:

--- dovecot-1.0.10/src/pop3-login/client.c.orig	2008-01-05
00:44:14.000000000 -0500
+++ dovecot-1.0.10/src/pop3-login/client.c	2008-01-05 00:44:30.000000000
-0500
@@ -331,7 +331,7 @@
 	client->created = ioloop_time;
 	client->refcount = 1;
 	client->common.tls = ssl;
-	client->common.secured = ssl || net_ip_compare(ip, local_ip);
+	client->common.secured = ssl;
 
 	client->common.local_ip = *local_ip;
 	client->common.ip = *ip;
---

but still not able to make it not accept AUTH PLAIN authentication from
the same ip. I'm missing something?

On the other hand, if I set disable_plaintext_auth to yes I cannot use
the classic USER/PASS pop3 verbs. I'm not sure what the POP3 related
RFCs mandates with respect to this.

Regards,
maykel




More information about the dovecot mailing list