First Last Prev Next    This bug is not in your last search results.
Bug 37187 - imapd allows cleartext password without encryption
imapd allows cleartext password without encryption
Status: CLOSED WONTFIX
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.3
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
: interim-3
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-04 21:32 CET by Sönke Schwardt-Krummrich
Modified: 2018-03-14 14:37 CET (History)
5 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2014-12-04 21:32:29 CET 
Currently the imapd allows authentication via cleartext passwords without encryption on the wire. This should be configurable and turned off by default.

root@master:~# grep allowplaintext /etc/imapd/imapd.conf 
allowplaintext: yes
root@master:~# 

---[man imapd.conf]---
allowplaintext: 0
    Allow the use of cleartext passwords on the wire.
----------------------
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2014-12-04 21:40:39 CET 
From the man page:
If you only list plaintext authentication mechanisms in ``sasl_mech_list'' and set ``allowplaintext: no'', only users on encrypted sessions (TLS or SSL) will be able to authenticate.

sasl_mech_list is hardcoded to "PLAIN" via UCR template. It would be helpful if allowplaintext is configurable via UCR.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2016-10-17 13:39:44 CEST 
Just to make it clear: only cyrus is affected; dovecot is not affected
Comment 3 Florian Best univentionstaff 2017-06-28 14:52:24 CEST 
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 4 Florian Best univentionstaff 2018-01-22 19:47:04 CET 
@Daniel, Sönke:
This can be WONTFIX if we drop cyrus in UCS 4.3.
Comment 5 Daniel Tröder univentionstaff 2018-01-23 08:45:22 CET 
(In reply to Florian Best from comment #4)
> @Daniel, Sönke:
> This can be WONTFIX if we drop cyrus in UCS 4.3.
Yes. I have added a TODO to Bug #46102, in case it is fixed.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-02-25 16:00:41 CET 
Cyrus IMAP is no longer supported as of UCS 4.3-0 → WONTFIX
Comment 7 Daniel Tröder univentionstaff 2018-02-26 08:43:35 CET 
ACK
Comment 8 Stefan Gohmann univentionstaff 2018-03-14 14:37:56 CET 
UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.