Bug 20931

Summary: imap-2000 ssl does not log failure to find certificate
Product: [Retired] Red Hat Linux Reporter: j. alan eldridge <alane>
Component: imapAssignee: Mike A. Harris <mharris>
Status: CLOSED WONTFIX QA Contact: Dale Lovelace <dale>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-03-19 21:38:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description j. alan eldridge 2000-11-15 22:42:34 UTC 
if a server was running imap-4.x for imaps, then the certificate file it 
used was $path_to_certificates/stunnel.pem, since stunnel handled ssl.
in imap-2000, imapd handles ssl, and the certificate name has changed to 
$path_to_certificates/imapd.pem. however, imapd-2000 does not log an error 
condition when this file does not exist.

net effect: upgrade to imap-2000 silently breaks imaps service, and there 
are no clues in the /var/log/* to indicate what happened.

i did 'strace -f -p pid-of-xinetd' and watched the imapd process come up 
and fail; i believe this to be the only way to diagnose the failure.

for added annoyance points: the certificate path/name looked for by imapd 
is not documented.
Comment 1 Nalin Dahyabhai 2000-11-20 21:59:03 UTC 
The breakage happens because the SSL functionality in the web server allows it
to serve IMAP-over-SSL without use of stunnel.  The certificate needed is
/usr/share/ssl/certs/imapd.pem.  

I'll add a note to the package to that effect, though I'm puzzled that the
configuration file for the older imaps setup (which used stunnel) would have
been replaced if it was ever modified with chkconfig or ntsysv.
Comment 2 Arenas Belon, Carlo Marcelo 2000-12-19 17:17:49 UTC 
this wouldn't make it easier for anyone to fix the problem as the RPM is still
broken.

adding (on %files):

%ghost %config(noreplace,missingok) %{_datadir}/ssl/certs/imapd.pem
%ghost %config(noreplace,missingok) %{_datadir}/ssl/certs/ipop3d.pem

would make it easier for anyone to know which is the correct name for the
certificate that would be needed for each service.

a %post script *could* be designed to run on updates and link the current
stunnel.pem if there is any and if /etc/xined.d/{imaps,pop3s} is using stunnel,
but taking that stunnel.pem is not automatically installed and trustable on
default i think it should be better left on the admin hands.
Comment 3 Mike A. Harris 2001-06-20 12:47:04 UTC 
A great number of imap issues are fixed in the pending errata release
of 2000c.  Including upgrades.  Please upgrade to it when it is released.

Realistically, imapd logging changes will have to be done upstream, so I
ask that you request this feature to the developers of UW imap at:
pine.edu.