Last night I reinstalled SuSE 8.2. I didn't add anything as far as security / authentication in that I just picked what was there and did a minimal graphic installation. Then I installed pure-ftp and imap as xinetd run processes. I created a cram-md5.pwd file and set it's access to 0400. This is the same as an existing imap server set-up I'm trying to replace. When I attempt to make an imap connection I get refused. xinet does respond to the request and starts imapd But imap responds in the logs with: imapd: Login disabled user=tallison auth=tallison host=[192.168.1.103] But I can login/authentication under pure-ftpd (in xinet) and sshd (daemon) without any problems. There really aren't that many options for configuring imap. any suggestions on what to do at this point? I'm really at a loss. No matter what I do, I always get stuck on getting something or other to authenticate under SuSE, even after repeated rebuilds. I'm being very careful to try not to affect any of the pam/authentication set up, but this one has me completely stumped. I'm really stuck....
On 11/02/2003 09:44 PM, Tom Allison wrote:
When I attempt to make an imap connection I get refused.
xinet does respond to the request and starts imapd But imap responds in the logs with:
imapd: Login disabled user=tallison auth=tallison host=[192.168.1.103]
But I can login/authentication under pure-ftpd (in xinet) and sshd (daemon) without any problems.
Tom, the imap package was compiled for secure connections. Check the sdb, there is an article how to create a ssl certificate to be able to use a secure connection. Your other option is to rebuild the package to accept plaintext passwords, but I would rocommend building the certificate and using an ssl connection. There wilol some changing of xinetd as well, as it will be imaps, and your clients will connect at a different port (9xx instead of 143, can't remember the exact port right now. HTH -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
Joe Morris (NTM) wrote:
On 11/02/2003 09:44 PM, Tom Allison wrote:
When I attempt to make an imap connection I get refused.
xinet does respond to the request and starts imapd But imap responds in the logs with:
imapd: Login disabled user=tallison auth=tallison host=[192.168.1.103]
But I can login/authentication under pure-ftpd (in xinet) and sshd (daemon) without any problems.
Tom, the imap package was compiled for secure connections. Check the sdb, there is an article how to create a ssl certificate to be able to use a secure connection. Your other option is to rebuild the package to accept plaintext passwords, but I would rocommend building the certificate and using an ssl connection. There wilol some changing of xinetd as well, as it will be imaps, and your clients will connect at a different port (9xx instead of 143, can't remember the exact port right now. HTH
Ok, thanks for the info. I'm rather disgusted that SuSE doesn't include anything like this in their README.SuSE on this product. It seems somewhat important that they have used some very specific (and non-standard) build options for this software package. I could use the standard (insecure) options as I'm using either a LAN only connection or a https squirrelmail connection. Between these two, I don't really have as much of an issue with security as one would normally expect. As for the security if my LAN, it consists of my notebook and my workstation, both of which are hardened linux installations in the first place. Thanks again.
On 11/03/2003 01:18 AM, Tom Allison wrote:
I'm rather disgusted that SuSE doesn't include anything like this in their README.SuSE on this product. It seems somewhat important that they have used some very specific (and non-standard) build options for this software package.
Actually, you will find when you change it to be able to use plaintext password that YOU are building the non standard version, not SuSE (you will have to explicitly answer this type of question in the build process). It may be less problems overall to make the ssl cert, but if you choose to rebuild the package be advised there was a patch for it after it was released, so get the src.rpm from the update directory and rebuild it
I could use the standard (insecure) options as I'm using either a LAN only connection or a https squirrelmail connection. Between these two, I don't really have as much of an issue with security as one would normally expect. As for the security if my LAN, it consists of my notebook and my workstation, both of which are hardened linux installations in the first place.
I understand, but this is not the standard anymore. It defaults to secure passwords or plaintext passwords only under ssl. Check the uw-imap site. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
The Sunday 2003-11-02 at 12:18 -0500, Tom Allison wrote:
When I attempt to make an imap connection I get refused.
I'm rather disgusted that SuSE doesn't include anything like this in their README.SuSE on this product.
I have read about this somewhere, can't remember now; maybe just in this list
It seems somewhat important that they have used some very specific (and non-standard) build options for this software package.
I could use the standard (insecure) options as I'm using either a LAN only connection or a https squirrelmail connection. Between these two,
Just a guess: it might be that you don't require a secure connection, or not always. I think that it requires a user/password chalenge _not_ in clear text, and if that is not the case, then the connection has to be encripted. This has been comented on the list previously, if I remember correctly. Reading the imap-2002 FAQ, I see this: 3.18 How do I disable plaintext passwords on unencrypted sessions, but allow them in SSL or TLS sessions? Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd instead, e.g. make lnx SSLTYPE=nopwd When plaintext passwords are disabled, the IMAP server will advertise the LOGINDISABLED capability and the POP3 server will not advertise the USER capability. Isn't that the message you get, "imapd: Login disabled"? I understand this is a compile time choice; if that is so, then you are correct, they should have comented it on the readme.suse. -- Cheers, Carlos Robinson
participants (3)
-
Carlos E. R.
-
Joe Morris (NTM)
-
Tom Allison