Bug 250189

Summary: [patch] Broken LMTP encryption and certificate auth/pre-auth
Product: Red Hat Enterprise Linux 5 Reporter: Nathaniel McCallum <nathaniel>
Component: cyrus-imapdAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: low    
Version: 5.0CC: dkovalsk, rvokal, syeghiay
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-22 11:13:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to fix TLS and Authentication for LMTP none

Description Nathaniel McCallum 2007-07-30 22:25:37 UTC
Description of problem:
If one does not use the password-based authentication for LMTP (either cert or
pre-auth), TLS is forceably disabled.  Additionally, there is also a bug where
certificate authentication doesn't actually work (fails even with correct certs).


Version-Release number of selected component (if applicable):
all


Steps to Reproduce:
1. edit /etc/cyrus.conf and launch lmtpd with the '-a' option
2. try to connect to lmtp with TLS enabled

... or ...

1. edit /etc/imapd.conf and enable tls_lmtp_require_cert.
2. try to connect to lmtp using certificate auth
  
Actual results:
Either encryption, authentication or both don't work.

Expected results:
Authentication and encryption should work.

Additional info:
Patch fixing the problem is attached.  It has been tested and is deployed on a
large mail server here.

Comment 1 Nathaniel McCallum 2007-07-30 22:25:37 UTC
Created attachment 160279 [details]
Patch to fix TLS and Authentication for LMTP

Comment 2 RHEL Program Management 2007-12-03 20:44:58 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.

Comment 3 Nathaniel McCallum 2007-12-06 16:01:13 UTC
BTW, as far as I know, this bug exists in all RedHat and Fedora packages (all
versions).

Comment 4 Nathaniel McCallum 2007-12-08 20:05:39 UTC
FYI, a slightly modified version of the patch was committed upstream:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2980

Comment 5 RHEL Program Management 2008-07-21 23:10:14 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 12 Michal Hlavinka 2009-04-24 10:21:57 UTC
could you please provide more details how to reproduce this? 
we are getting
> failure: STARTTLS not supported by the server!
for old version but:
> ...
> C: STARTTLS
> S: 500 5.5.2 Syntax error
for new one

Thanks

Comment 13 Nathaniel McCallum 2009-04-24 16:13:41 UTC
It probably makes the most sense at this point to upgrade to the latest release (2.3.14) which should not have any regressions and which already contains this patch.

Comment 14 Michal Hlavinka 2009-04-27 07:50:55 UTC
(In reply to comment #13)
> It probably makes the most sense at this point to upgrade to the latest release
> (2.3.14) which should not have any regressions and which already contains this
> patch.  

Unfortunately, update policy for RHEL is not that simple and even for updates we need to test every bug it exists in old version (test if we can reproduce it) and doesn't exist in new (or patched) version.

Also I've tested this with 2.3.13 and got the same result as in comment #12, so info about how to test this will be still appreciated.

Comment 15 Michal Hlavinka 2009-06-01 14:05:00 UTC
bug removed from errata because we are missing usable reproducer

Comment 16 Michal Hlavinka 2009-07-17 06:07:31 UTC
because there is no reproducer, it seems this bug is not as several as it was originally set

Comment 17 Michal Hlavinka 2009-08-04 08:48:57 UTC
needinfo for over three months, without requested information, this bug will be CLOSED:INSUFFICIENT_DATA after two weeks

Comment 18 Radek Vokál 2009-09-22 11:13:19 UTC
Closing based on comment #17