Red Hat Bugzilla – Bug 87460
Squirrelmail (or other non-tls compliant clients) cannot login to uw-imap-2002b-5 by default
Last modified: 2007-04-18 12:52:29 EDT
Description of problem: Latest RawHide imap-2002b-5 doesn't allow "LOGIN" authentication method by default. This breaks SquirrleMail (and other clients which rely on the plaintext LOGIN method) since it relies on plaintext LOGIN method. SquirrelMail at present only supports using stunnel for IMAPS implementation. Version-Release number of selected component (if applicable): 2002b-5 How reproducible: Always Steps to Reproduce: 1. Install Squirrlemail 1.2.10-4 2. Install imap-2002b-5 3. Login to imap server via Squirrlemail. Actual Results: Login rejected - Squirrlemail doesn't support STARTTLS or alternate Plaintext Login methods Expected Results: Successful login. Additional info: Changing IMAP to use SSLTYPE=unix instead of SSLTYPE=unix.nopwd via spec fixes the issue (but breaks IESG security requirement of disabling plaintext w/o STARTTLS) Either making this change permenant or modify the Squirrlemail (and other IMAP) packages to support an alternate plaintext Login method would be in order.
I'm looking for a clarification of what you would like. The no plain text authentication behavior as you point out is required to meet security requirements, it can also be easily changed via local configuration. Given this, shouldn't the package ship with proper security behavior? If this conflicts with local needs it can be easily overriden. Are you in disagreement? Are you in favor of shipping a security compromised package that has to be locally overriden to provide security? I'm pretty sure this would violate Red Hat's security guidelines. I think, but I'm open to hearing other opinions, that the right solution is to either fix squirrlemail or for local installations to override the secure authenication after installing imap. Comments?
While I'm not too framiliar with IMAP local configs, that seems like it would be the better answer. Perhaps by default, the squirrelmail package could require users to add a configuration to uw-imap which might allow plaintest LOGIN from localhost or specific IP's only? I didn't see that as a current possibility within the config, however. I fully agree that the security model shouldn't be broken, as long as a viable solution is provided for other packages that intend to be shipped with Red Hat.
Looks like Squirrelmail 1.4.0, released today, along with PHP 4.3.0 will support TLS authentication. Looks like this will be a new prerequisite to work with IMAP 2002b.
Yes, thank you. The new release does impinge upon this issue. FWIW, I'm still considering the issues raised and contemplating if there is a workable solution to make everyone happy.
'Red Hat Raw Hide' refers to the development tree for Red Hat Linux. Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues were not resolved in a more timely manner. However, we do want to make sure that important don't slip through the cracks. If these issues are still present in a current release, such as Fedora Core 5, please move these bugs to that product and version. Note that any remaining Red Hat Raw Hide bugs will be closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Closing as CANTFIX.