Bug 250189 - [patch] Broken LMTP encryption and certificate auth/pre-auth
[patch] Broken LMTP encryption and certificate auth/pre-auth
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-imapd (Show other bugs)
5.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Michal Hlavinka
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-30 18:25 EDT by Nathaniel McCallum
Modified: 2009-09-22 07:13 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-22 07:13:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to fix TLS and Authentication for LMTP (1.02 KB, patch)
2007-07-30 18:25 EDT, Nathaniel McCallum
no flags Details | Diff

  None (edit)
Description Nathaniel McCallum 2007-07-30 18:25:37 EDT
Description of problem:
If one does not use the password-based authentication for LMTP (either cert or
pre-auth), TLS is forceably disabled.  Additionally, there is also a bug where
certificate authentication doesn't actually work (fails even with correct certs).


Version-Release number of selected component (if applicable):
all


Steps to Reproduce:
1. edit /etc/cyrus.conf and launch lmtpd with the '-a' option
2. try to connect to lmtp with TLS enabled

... or ...

1. edit /etc/imapd.conf and enable tls_lmtp_require_cert.
2. try to connect to lmtp using certificate auth
  
Actual results:
Either encryption, authentication or both don't work.

Expected results:
Authentication and encryption should work.

Additional info:
Patch fixing the problem is attached.  It has been tested and is deployed on a
large mail server here.
Comment 1 Nathaniel McCallum 2007-07-30 18:25:37 EDT
Created attachment 160279 [details]
Patch to fix TLS and Authentication for LMTP
Comment 2 RHEL Product and Program Management 2007-12-03 15:44:58 EST
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.
Comment 3 Nathaniel McCallum 2007-12-06 11:01:13 EST
BTW, as far as I know, this bug exists in all RedHat and Fedora packages (all
versions).
Comment 4 Nathaniel McCallum 2007-12-08 15:05:39 EST
FYI, a slightly modified version of the patch was committed upstream:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2980
Comment 5 RHEL Product and Program Management 2008-07-21 19:10:14 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 12 Michal Hlavinka 2009-04-24 06:21:57 EDT
could you please provide more details how to reproduce this? 
we are getting
> failure: STARTTLS not supported by the server!
for old version but:
> ...
> C: STARTTLS
> S: 500 5.5.2 Syntax error
for new one

Thanks
Comment 13 Nathaniel McCallum 2009-04-24 12:13:41 EDT
It probably makes the most sense at this point to upgrade to the latest release (2.3.14) which should not have any regressions and which already contains this patch.
Comment 14 Michal Hlavinka 2009-04-27 03:50:55 EDT
(In reply to comment #13)
> It probably makes the most sense at this point to upgrade to the latest release
> (2.3.14) which should not have any regressions and which already contains this
> patch.  

Unfortunately, update policy for RHEL is not that simple and even for updates we need to test every bug it exists in old version (test if we can reproduce it) and doesn't exist in new (or patched) version.

Also I've tested this with 2.3.13 and got the same result as in comment #12, so info about how to test this will be still appreciated.
Comment 15 Michal Hlavinka 2009-06-01 10:05:00 EDT
bug removed from errata because we are missing usable reproducer
Comment 16 Michal Hlavinka 2009-07-17 02:07:31 EDT
because there is no reproducer, it seems this bug is not as several as it was originally set
Comment 17 Michal Hlavinka 2009-08-04 04:48:57 EDT
needinfo for over three months, without requested information, this bug will be CLOSED:INSUFFICIENT_DATA after two weeks
Comment 18 Radek Vokal 2009-09-22 07:13:19 EDT
Closing based on comment #17

Note You need to log in before you can comment on or make changes to this bug.