[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Re: IMAP and 8.2

To: Peter Hinterseer <iceman@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [suse-security] Re: IMAP and 8.2
From: Bob Vickers <bobv@xxxxxxxxxxxxx>
Date: Wed, 21 May 2003 10:57:59 +0100 (BST)
Cc: suse-security@xxxxxxxx
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Wed, 21 May 2003 12:00:13 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <004f01c31ef4$181b4640$0a01a8c0@sensenmann>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
Reply-to: Bob Vickers <R.Vickers@xxxxxxxxxxxxx>

Peter,

There are a number of solutions to the problem, but my point is that a
radical change was made to the IMAP package and it was inadequately
flagged in the documentation. I don't want to labour the point; I suspect
SuSE were simply caught out because the authors of the package made this
change without them realising it. This kind of thing happens with all
distributions and I think SuSE have a better record than most.

Incidentally your solution is specifically discouraged by the
package documentation which states:

**********************************************************************
*                    DANGER!  BEWARE!  TAKE CARE!                    *
**********************************************************************
*                                                                    *
*  These files, and this documentation, are for internal UW usage    *
* only.  This capability is for UW experimental tinkering, and most  *
* emphatically *not* for sorcerer's apprentices at other sites who   *
* feel that if a config file capability exists, they must write a    *
* config file whether or not there is any need for one.              *

Bob

 On Tue, 20 May 2003, Peter Hinterseer wrote:

> > David,
> >
> > stunnel does not work with the imap-2000 package supplied by SuSE 8.2.
> > You have to find an imapd implentation that supports plain text logins.
> >
> > The point of stunnel is to convert an insecure imap server into a secure
> > one. SuSE blew this apart by building imapd in such a way that it would
> > not support this.
> >
> > Bob
>
> Hi!
>
> This is not entirely true. SuSE's imap-2002 package released with 8.2 has to
> be enabled to accept plaintext passwords. This is easily done by creating a
> file '/etc/c-client.cf' with the following content:
>
> --
> I accept the risk
>
> set disable-plaintext 0
> --
>
> WIthout the '--' of course... ;-)
>
> Have fun,
>
> Peter
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>

==============================================================
Bob Vickers                     R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW:    http://www.cs.rhul.ac.uk/home/bobv
Phone:  +44 1784 443691

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

References:
- [suse-security] Re: IMAP and 8.2
  - From: Peter Hinterseer

Prev by Date: [suse-security] A fax problem...
Next by Date: RE: [suse-security] What's keeps changing my inet.d sequence
Previous by thread: [suse-security] Re: IMAP and 8.2
Next by thread: [suse-security] update openssh
Index(es):
- Date
- Thread