Bug 87460 - Squirrelmail (or other non-tls compliant clients) cannot login to uw-imap-2002b-5 by default
Squirrelmail (or other non-tls compliant clients) cannot login to uw-imap-200...
Status: CLOSED CANTFIX
Product: Red Hat Raw Hide
Classification: Retired
Component: imap (Show other bugs)
1.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-03-26 22:07 EST by Rick Johnson
Modified: 2007-04-18 12:52 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-18 15:28:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rick Johnson 2003-03-26 22:07:29 EST
Description of problem:
Latest RawHide imap-2002b-5 doesn't allow "LOGIN" authentication method by 
default. This breaks SquirrleMail (and other clients which rely on the 
plaintext LOGIN method) since it relies on plaintext LOGIN method. SquirrelMail 
at present only supports using stunnel for IMAPS implementation.

Version-Release number of selected component (if applicable):
2002b-5

How reproducible:
Always

Steps to Reproduce:
1. Install Squirrlemail 1.2.10-4
2. Install imap-2002b-5
3. Login to imap server via Squirrlemail.
    

Actual Results:  Login rejected - Squirrlemail doesn't support STARTTLS or 
alternate Plaintext Login methods

Expected Results:  Successful login.

Additional info:

Changing IMAP to use SSLTYPE=unix instead of SSLTYPE=unix.nopwd via spec fixes 
the issue (but breaks IESG security requirement of disabling plaintext w/o 
STARTTLS)

Either making this change permenant or modify the Squirrlemail (and other IMAP) 
packages to support an alternate plaintext Login method would be in order.
Comment 1 John Dennis 2003-03-27 09:45:53 EST
I'm looking for a clarification of what you would like. The no plain text
authentication behavior as you point out is required to meet security
requirements, it can also be easily changed via local configuration. Given this,
shouldn't the package ship with proper security behavior? If this conflicts with
local needs it can be easily overriden. Are you in disagreement? Are you in
favor of shipping a security compromised package that has to be locally
overriden to provide security? I'm pretty sure this would violate Red Hat's
security guidelines.

I think, but I'm open to hearing other opinions, that the right solution is to
either fix squirrlemail or for local installations to override the secure
authenication after installing imap. Comments?
Comment 2 Rick Johnson 2003-03-27 11:13:02 EST
While I'm not too framiliar with IMAP local configs, that seems like it would be
the better answer. 

Perhaps by default, the squirrelmail package could require users to add a
configuration to uw-imap which might allow plaintest LOGIN from localhost or
specific IP's only? I didn't see that as a current possibility within the
config, however.

I fully agree that the security model shouldn't be broken, as long as a viable
solution is provided for other packages that intend to be shipped with Red Hat. 
Comment 3 Rick Johnson 2003-04-03 17:46:14 EST
Looks like Squirrelmail 1.4.0, released today, along with PHP 4.3.0 will support
TLS authentication. Looks like this will be a new prerequisite to work with IMAP
2002b.
Comment 4 John Dennis 2003-04-03 17:54:42 EST
Yes, thank you. The new release does impinge upon this issue. FWIW, I'm still
considering the issues raised and contemplating if there is a workable solution
to make everyone happy.
Comment 5 Bill Nottingham 2006-08-07 21:38:36 EDT
'Red Hat Raw Hide' refers to the development tree for Red Hat Linux.
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues were not resolved in a more
timely manner. However, we do want to make sure that important 
don't slip through the cracks. If these issues are still present
in a current release, such as Fedora Core 5, please move these
bugs to that product and version. Note that any remaining Red Hat
Raw Hide bugs will be closed as 'CANTFIX' on September 30, 2006.
Thanks again for your help.
Comment 6 Bill Nottingham 2006-10-18 15:28:13 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.