[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Plaintext passwords IMAP please!

On Wednesday 14 January 2004 16:15, Carl Peto wrote:
> I've been struggling with this for hours on end!
> All I want to do is run an IMAP server to allow my Windows clients to
> access their unix email with Outlook Express.  I tried the imap package but
> that has been modified now so that no POP3 or IMAP login is allowed with a
> plaintext password unless using SSL encrypted sessions.

I have had the exact same problem.  I DO use SSL, but the change in the imap 
server package breaks squirrelmail.  I also am not amused by SuSE's decision 
to change the behaviour and by not having a way to turn this off again.
However, I made a workaround by force-installing the imap version of SuSE 8.1 
over the changed one which is running on SuSE 8.2.  So now everytime I forget 
to UNselect imapd in online update my system breaks again. Very nice.

I too would want a better solution. And I fully concur with you on the subject 
of Cyrus-imapd. Cyrus seemingly serves one single purpose, to drive sysadmins 
utterly crazy. ;-|    I gave up early when I saw the list of prerequisites... 

> I do not want to get into the complexity of installing SSL, all boxes are
> behind a completely secure firewall and use CVS pserver, etc. anyway so the
> "security" gained by encrypting either session or passwords is completely
> illusory.
> The imapd daemon wouldn't accept encrypted passwords even when I switched
> the option on in my test Outlook Express mail client so I can't win either
> way.

Installing an SSL certificate so that imapd speaks SSL too is quite simple, if 
you need help I can look it up for you... it is not more than 5 minutes work, 
however teaching all the clients that they should trust a self-signed cert 
sure isn't, so this may not be a viable option for you anyway.

> I tried to recompile imapd from source since the change to not allow
> plaintext passwords except in a TLS session is actually compiled into the
> server (very bad form, should be a config file option, probably with this
> setting as default).  The source package is broken and won't compile.
> I tried installing the fiendishly complex cyrus-imapd but that doesn't work
> either, complaining about a "cannot connect to saslauthd server".  Tried
> changing the sasl_pwcheck_method to "pwcheck" to see if that helped. 
> Daemon won't start now complaining of db errors.
> I've set up qpopper to act as a pop3 client so I can now at least pick up
> my mail inbox from /var/spool/mail/<username> but that means I can't access
> other folders so (i) if users read mail on UNIX clients the mail goes into
> mbox and is inaccessible from Windows henceforth and more importantly (ii)
> users cannot use .procmailrc to sort mail into files like "spam",
> "suse-security-mailing-list", "cvs-logs" as these are now only accessible
> via unix and not Windows where people do most of their daily work.
> Really it's such a simple thing I want to do!
> Can anyone help?

I am certainly willing to contribute but for now I'm stuck with the same 
problem as you are...


> Thanks,
> Carl

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here