Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] Re: IMAP and 8.2
  • From: Bob Vickers <bobv@xxxxxxxxxxxxx>
  • Date: Wed, 21 May 2003 10:57:59 +0100 (BST)
  • Message-id: <Pine.OSF.4.44.0305211047350.12223-100000@xxxxxxxxxxxxxxxxxxxxx>
Peter,

There are a number of solutions to the problem, but my point is that a
radical change was made to the IMAP package and it was inadequately
flagged in the documentation. I don't want to labour the point; I suspect
SuSE were simply caught out because the authors of the package made this
change without them realising it. This kind of thing happens with all
distributions and I think SuSE have a better record than most.

Incidentally your solution is specifically discouraged by the
package documentation which states:

**********************************************************************
* DANGER! BEWARE! TAKE CARE! *
**********************************************************************
* *
* These files, and this documentation, are for internal UW usage *
* only. This capability is for UW experimental tinkering, and most *
* emphatically *not* for sorcerer's apprentices at other sites who *
* feel that if a config file capability exists, they must write a *
* config file whether or not there is any need for one. *



Bob

On Tue, 20 May 2003, Peter Hinterseer wrote:

> > David,
> >
> > stunnel does not work with the imap-2000 package supplied by SuSE 8.2.
> > You have to find an imapd implentation that supports plain text logins.
> >
> > The point of stunnel is to convert an insecure imap server into a secure
> > one. SuSE blew this apart by building imapd in such a way that it would
> > not support this.
> >
> > Bob
>
> Hi!
>
> This is not entirely true. SuSE's imap-2002 package released with 8.2 has to
> be enabled to accept plaintext passwords. This is easily done by creating a
> file '/etc/c-client.cf' with the following content:
>
> --
> I accept the risk
>
> set disable-plaintext 0
> --
>
> WIthout the '--' of course... ;-)
>
> Have fun,
>
> Peter
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>

==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691


< Previous Next >
References