4 bugs, IMAP and SMTP STARTTLS, Dovecot capabilities
I've looked for and have not seen any similar issues reported related to
STARTTLS. Sourceforge wouldn't let me create an account or else I could
have submitted bug reports directly.
I'm using SquirrelMail 1.4.23 installed from latest FreeBSD Ports,
together with PHP 5.6. I'm attempting to connect using STARTTLS to
Dovecot 2.2.22 and Postfix 3.1.0.
I've verified the code is not fixed for any of these four issues in the
latest 1.5.2 SVN. Issue 2 is not as much of a problem in 1.5.2 as it is
in 1.4.23 when using 'login' authentication.
I connect to the IMAP and SMTP servers using their IP, but need to
override the 'peer_name' to validate the certificate properly. New in
PHP 5.6 is also that verify_peer defaults to TRUE, which means I need to
either be able to set the peer_name, or disable verify_peer.
I've found three issues in functions/imap_general.php, related to
STARTTLS and Dovecot IMAP server, as well as one STARTTLS issue in
class/deliver/Deliver_SMTP.class.php, class class Deliver_SMTP, function
Stream options ($imap_stream_options) are not used with STARTTLS
($use_imap_tls = 2) in function sqimap_create_stream. The stream options
are only used for $use_imap_tls = 1.
How to fix:
Add something like this:
// set context options to allow for SSL option overrides
Before trying to initiate the TLS session here:
functions/imap_general.php :: function sqimap_create_stream
826: // start crypto on connection. suppress function errors.
IMAP capabilities are only read once in function sqimap_create_stream
(and subsequently used in sqimap_login to determine certain login
options), however the capability list for Dovecot is not the same before
and after STARTTLS.
From Dovecot, before STARTTLS (telnet <local-ip> 143):
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS LOGINDISABLED] Dovecot ready.
From Dovecot, after successful STARTTLS (openssl s_client -starttls
imap -connect <local-ip>:143):
<SSL session info>
. OK Pre-login capabilities listed, post-login capabilities have more.
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
a OK Pre-login capabilities listed, post-login capabilities have more.
How to fix:
Issue "capability" command after successful STARTTLS to re-read the
capabilities. Either as part of function sqimap_create_stream, or after
call to sqimap_create_stream and before login options are checked in
SquirrelMail 1.4.23 uses the return value with capabilities from
function sqimap_create_stream to determine if 'login' is a viable
option. Dovecot reports LOGINDISABLED prior to STARTTLS. (1.5.2 does not
have this check for 'login'.)
Multi-line response from the server to the AUTHENTICATE PLAIN (and
likely cram/digest md5, possibly even login) are not accepted.
The IMAP protocol allows the server to prefix responses which are
incomplete with "*", and Dovecot uses this to report capabilities after
successful login, but this is not handled by SquirrelMail's sqimap_login