4 bugs, IMAP and SMTP STARTTLS, Dovecot capabilities

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

4 bugs, IMAP and SMTP STARTTLS, Dovecot capabilities

Tobias
Hello!

I've looked for and have not seen any similar issues reported related to
STARTTLS. Sourceforge wouldn't let me create an account or else I could
have submitted bug reports directly.

I'm using SquirrelMail 1.4.23 installed from latest FreeBSD Ports,
together with PHP 5.6. I'm attempting to connect using STARTTLS to
Dovecot 2.2.22 and Postfix 3.1.0.

I've verified the code is not fixed for any of these four issues in the
latest 1.5.2 SVN. Issue 2 is not as much of a problem in 1.5.2 as it is
in 1.4.23 when using 'login' authentication.

I connect to the IMAP and SMTP servers using their IP, but need to
override the 'peer_name' to validate the certificate properly. New in
PHP 5.6 is also that verify_peer defaults to TRUE, which means I need to
either be able to set the peer_name, or disable verify_peer.

I've found three issues in functions/imap_general.php, related to
STARTTLS and Dovecot IMAP server, as well as one STARTTLS issue in
class/deliver/Deliver_SMTP.class.php, class class Deliver_SMTP, function
initStream.



Issue 1:
Stream options ($imap_stream_options) are not used with STARTTLS
($use_imap_tls = 2) in function sqimap_create_stream. The stream options
are only used for $use_imap_tls = 1.

How to fix:
Add something like this:
             // set context options to allow for SSL option overrides
@stream_context_set_option($imap_stream,$stream_options);

Before trying to initiate the TLS session here:
functions/imap_general.php :: function sqimap_create_stream
826:            // start crypto on connection. suppress function errors.
827:            if
(@stream_socket_enable_crypto($imap_stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT))
{



Issue 2:
IMAP capabilities are only read once in function sqimap_create_stream
(and subsequently used in sqimap_login to determine certain login
options), however the capability list for Dovecot is not the same before
and after STARTTLS.

 From Dovecot, before STARTTLS (telnet <local-ip> 143):
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS LOGINDISABLED] Dovecot ready.

 From Dovecot, after successful STARTTLS (openssl s_client -starttls
imap -connect <local-ip>:143):
<SSL session info>
---
. OK Pre-login capabilities listed, post-login capabilities have more.
a capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN
a OK Pre-login capabilities listed, post-login capabilities have more.

How to fix:
Issue "capability" command after successful STARTTLS to re-read the
capabilities. Either as part of function sqimap_create_stream, or after
call to sqimap_create_stream and before login options are checked in
function sqimap_login.

SquirrelMail 1.4.23 uses the return value with capabilities from
function sqimap_create_stream to determine if 'login' is a viable
option. Dovecot reports LOGINDISABLED prior to STARTTLS. (1.5.2 does not
have this check for 'login'.)



Issue 3:
Multi-line response from the server to the AUTHENTICATE PLAIN (and
likely cram/digest md5, possibly even login) are not accepted.

The IMAP protocol allows the server to prefix responses which are
incomplete with "*", and Dovecot uses this to report capabilities after
successful login, but this is not handled by SquirrelMail's sqimap_login
function.

SquirrelMail reports:
Unknown error: IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SEARCH=FUZZY SPECIAL-USE QUOTA

The full output from Dovecot is:
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SEARCH=FUZZY SPECIAL-USE
QUOTA
A003 OK Logged in

How to fix:
Check if '*' is the first token in a response, and read another line
from the stream.

Possibly something similar to this:
         while (substr($read,0,1) == '*') { // OK so far..
             $read = sqimap_fgets($imap_stream);
         }



Issue 4:
Identical to issue 1 but for SMTP. $use_smtp_tls = 2 and STARTTLS in
class/deliver/Deliver_SMTP.class.php, class class Deliver_SMTP, function
initStream, does not honor stream options.


BR
Tobias

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
Loading...