dovecot - Apr 2004 - problems with squirrelmail and TLS (debian unstable)

Heylas,

So, okay, I've had this lovely IMAP server running, and adore the ease
of configuration, among other things.  Problem, though.

I'm trying to set up SquirrelMail, so that some folks with accounts on
my box can use it without having to set up a proper imap client (or can
check mail when they're at a cafe, or like that).  However, I *won't*
turn off the disable_plaintext_auth, 'cause I'm damned if I'll set
up a
box that asks people to send passwords in the clear, and there *are*
people using imap.

Dovecot cannot, currently, be configured to permit plaintext on
localhost while requiring Something Better from the rest of the world. 
This becomes a problem with SquirrelMail, which can't cope with TLS.  It
just barfs.  Looking at bug reports in debian, this has already been
noticed, and the maintainer there (and the maintainers of SquirrelMail)
considers this a non-problem, 'cause, they say, you shouldn't be using
TLS with webmail.

Is there a way to set up, for instance, two instances of dovecot,
running on different ports, so that one listens to the external
interface and the other listens to localhost?  I don't much like the
idea, but how would I go about doing this?  Two copies of dovecot.conf
and a command-line switch?

Amy!
-- 
Amelia A. Lewis                    amyzing {at} talsever.com
Yankees are compelled by some mysterious force to imitate Southern 
accents and they're so damn dumb they don't know the difference beween
a Tennessee drawl and a Charleston clip.
                -- Rita Mae Brown, "Rubyfruit Jungle"

Le Fri, 23 Apr 2004 19:07:13 -0400
Amelia A Lewis a ecrit :
[...]
> Dovecot cannot, currently, be configured to permit plaintext on
> localhost while requiring Something Better from the rest of the world. 
> This becomes a problem with SquirrelMail, which can't cope with TLS. 
It
> just barfs.  Looking at bug reports in debian, this has already been
> noticed, and the maintainer there (and the maintainers of SquirrelMail)
> considers this a non-problem, 'cause, they say, you shouldn't be
using
> TLS with webmail.
> 
> Is there a way to set up, for instance, two instances of dovecot,
> running on different ports, so that one listens to the external
> interface and the other listens to localhost?  I don't much like the
> idea, but how would I go about doing this?  Two copies of dovecot.conf
> and a command-line switch?
SquirrelMail works perfectly fine with Dovecot and TLS.  I use it in
production for the company I work in.

However, it is true that I had to debug a very big issue with PHP and the
way it is compiled.  I'm using NetBSD and pkgsrc, but I guess it might be
the same with the Debian packages.

If PHP has not OpenSSL compiled in, it will not be able to initiate TLS
connections.  The openssl PHP module only contains crypto functions, and
won't bring in support for TLS.  You have to compile it in the php binary
and/or the Apache PHP module.

Thus I committed (no later than a few days ago) a change to our php
packages to allow support for OpenSSL compiled in, and that works.

What make the issue really bad is the way PHP handles this:  creating the
socket won't fail.  If OpenSSL support is not compiled in, the TLS option
SquirrelMail passes along while creating the socket is ignored.  Thus
SquirrelMail gets a "normal" socket, and you can see it in Ethereal
and
the like:  SquirrelMail send in clear text 'AUTH ...' while Dovecot of
course expects some TLS data, and then it gets stuck for a while.

Hope that helps.  And you can even use pkgsrc on your Linux distribution
to get the full suite, it's already Dovecot/SquirrelMail/TLS-ready :)
[http://www.pkgsrc.org]

-- 
Quentin Garnier - cube at cubidou.net - cube at NetBSD.org
"Feels like I'm fiddling while Rome is burning down.
Should I lay my fiddle down and take a rifle from the ground ?"
Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 478 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20040424/725b8348/attachment-0001.bin>

I should follow up, having complained in public ...

On Sat, 24 Apr 2004 06:56:42 +0200
Quentin Garnier <cube at cubidou.net> wrote:
> Le Fri, 23 Apr 2004 19:07:13 -0400
> Amelia A Lewis a ecrit :
> [...]
> > Dovecot cannot, currently, be configured to permit plaintext on
> > localhost while requiring Something Better from the rest of the world.
> > 
> > This becomes a problem with SquirrelMail, which can't cope with
TLS.
> > It just barfs.  Looking at bug reports in debian, this has already
> 
> SquirrelMail works perfectly fine with Dovecot and TLS.  I use it in
> production for the company I work in.
> 
> However, it is true that I had to debug a very big issue with PHP and
> the way it is compiled.  I'm using NetBSD and pkgsrc, but I guess it
> might be the same with the Debian packages.
[snip]

It's interesting that there are different issues.

My debian installation had a bug in functions/imap_general.php that
discarded the server name if tls was used (the server name became
"tls://", only, instead of prepending that to the server name).  Once
I
fixed that (now reported to debian maintainer, so should show fixed soon
there), I still had problems, because I assumed that squirrelmail could do
STARTTLS.  It doesn't, apparently (I could be wrong again, though). 
Switching it to port 993 in config made everything lovely.  Debian's php
(libapache2-mod-php4, in my case, a recent addition to packages that
actually permits php4 with apache2) appears to be compiled with the proper
support.

So, all serene.  *laugh*  On the other hand, I *would* still like to be
able to run without TLS on localhost (a localhost exception to
disable_plaintext_auth), because it's fairly pointless to require the
processor to do all the extra work of encryption and decryption in that
situation.  Feature request, please, Timo?

Amy!
-- 
Amelia A. Lewis                    amyzing {at} talsever.com
The flesh is strong.  The spirit stronger.  So shed your skin, baby.
Let it through.  Come on over.
                -- Amy Ray