Tobias
2016-Apr-03 10:13 UTC
Found 4 bugs in latest SquirrelMail related to IMAP and SMTP STARTTLS, Dovecot capabilities
This is a cross-post from the squirrelmail-devel list. It may be of interest if you want to run SquirrelMail and connect to Dovecot (and Postfix, possibly other servers) on a remote host using STARTTLS. BR Tobias -------- Forwarded Message -------- Subject: [SM-DEVEL] 4 bugs, IMAP and SMTP STARTTLS, Dovecot capabilities Date: Sun, 3 Apr 2016 04:27:56 +0200 From: Tobias <lists.zxinn at otaking.se> Reply-To: Squirrelmail Developers Mailing List <squirrelmail-devel at lists.sourceforge.net> To: squirrelmail-devel at lists.sourceforge.net Hello! I've looked for and have not seen any similar issues reported related to STARTTLS. Sourceforge wouldn't let me create an account or else I could have submitted bug reports directly. I'm using SquirrelMail 1.4.23 installed from latest FreeBSD Ports, together with PHP 5.6. I'm attempting to connect using STARTTLS to Dovecot 2.2.22 and Postfix 3.1.0. I've verified the code is not fixed for any of these four issues in the latest 1.5.2 SVN. Issue 2 is not as much of a problem in 1.5.2 as it is in 1.4.23 when using 'login' authentication. I connect to the IMAP and SMTP servers using their IP, but need to override the 'peer_name' to validate the certificate properly. New in PHP 5.6 is also that verify_peer defaults to TRUE, which means I need to either be able to set the peer_name, or disable verify_peer. I've found three issues in functions/imap_general.php, related to STARTTLS and Dovecot IMAP server, as well as one STARTTLS issue in class/deliver/Deliver_SMTP.class.php, class class Deliver_SMTP, function initStream. Issue 1: Stream options ($imap_stream_options) are not used with STARTTLS ($use_imap_tls = 2) in function sqimap_create_stream. The stream options are only used for $use_imap_tls = 1. How to fix: Add something like this: // set context options to allow for SSL option overrides @stream_context_set_option($imap_stream,$stream_options); Before trying to initiate the TLS session here: functions/imap_general.php :: function sqimap_create_stream 826: // start crypto on connection. suppress function errors. 827: if (@stream_socket_enable_crypto($imap_stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) { Issue 2: IMAP capabilities are only read once in function sqimap_create_stream (and subsequently used in sqimap_login to determine certain login options), however the capability list for Dovecot is not the same before and after STARTTLS. From Dovecot, before STARTTLS (telnet <local-ip> 143): * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. From Dovecot, after successful STARTTLS (openssl s_client -starttls imap -connect <local-ip>:143): <SSL session info> --- . OK Pre-login capabilities listed, post-login capabilities have more. a capability * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN a OK Pre-login capabilities listed, post-login capabilities have more. How to fix: Issue "capability" command after successful STARTTLS to re-read the capabilities. Either as part of function sqimap_create_stream, or after call to sqimap_create_stream and before login options are checked in function sqimap_login. SquirrelMail 1.4.23 uses the return value with capabilities from function sqimap_create_stream to determine if 'login' is a viable option. Dovecot reports LOGINDISABLED prior to STARTTLS. (1.5.2 does not have this check for 'login'.) Issue 3: Multi-line response from the server to the AUTHENTICATE PLAIN (and likely cram/digest md5, possibly even login) are not accepted. The IMAP protocol allows the server to prefix responses which are incomplete with "*", and Dovecot uses this to report capabilities after successful login, but this is not handled by SquirrelMail's sqimap_login function. SquirrelMail reports: Unknown error: IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SEARCH=FUZZY SPECIAL-USE QUOTA The full output from Dovecot is: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SEARCH=FUZZY SPECIAL-USE QUOTA A003 OK Logged in How to fix: Check if '*' is the first token in a response, and read another line from the stream. Possibly something similar to this: while (substr($read,0,1) == '*') { // OK so far.. $read = sqimap_fgets($imap_stream); } Issue 4: Identical to issue 1 but for SMTP. $use_smtp_tls = 2 and STARTTLS in class/deliver/Deliver_SMTP.class.php, class class Deliver_SMTP, function initStream, does not honor stream options. BR Tobias ----- squirrelmail-devel mailing list Posting guidelines:http://squirrelmail.org/postingguidelines List address:squirrelmail-devel at lists.sourceforge.net List archives:http://news.gmane.org/gmane.mail.squirrelmail.devel List info (subscribe/unsubscribe/change options):https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel