[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Plaintext passwords IMAP please!

I've been struggling with this for hours on end!

All I want to do is run an IMAP server to allow my Windows clients to access
their unix email with Outlook Express.  I tried the imap package but that
has been modified now so that no POP3 or IMAP login is allowed with a
plaintext password unless using SSL encrypted sessions.

I do not want to get into the complexity of installing SSL, all boxes are
behind a completely secure firewall and use CVS pserver, etc. anyway so the
"security" gained by encrypting either session or passwords is completely

The imapd daemon wouldn't accept encrypted passwords even when I switched
the option on in my test Outlook Express mail client so I can't win either

I tried to recompile imapd from source since the change to not allow
plaintext passwords except in a TLS session is actually compiled into the
server (very bad form, should be a config file option, probably with this
setting as default).  The source package is broken and won't compile.

I tried installing the fiendishly complex cyrus-imapd but that doesn't work
either, complaining about a "cannot connect to saslauthd server".  Tried
changing the sasl_pwcheck_method to "pwcheck" to see if that helped.  Daemon
won't start now complaining of db errors.

I've set up qpopper to act as a pop3 client so I can now at least pick up my
mail inbox from /var/spool/mail/<username> but that means I can't access
other folders so (i) if users read mail on UNIX clients the mail goes into
mbox and is inaccessible from Windows henceforth and more importantly (ii)
users cannot use .procmailrc to sort mail into files like "spam",
"suse-security-mailing-list", "cvs-logs" as these are now only accessible
via unix and not Windows where people do most of their daily work.

Really it's such a simple thing I want to do!

Can anyone help?


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here