Univention Bugzilla – Full Text Bug Listing |
Summary: | UCR configuration to disallow plain text passwords over non-TLS connections | ||
---|---|---|---|
Product: | UCS | Reporter: | Jan Christoph Ebersbach <ebersbach> |
Component: | Mail - Dovecot | Assignee: | Daniel Tröder <troeder> |
Status: | CLOSED FIXED | QA Contact: | Sönke Schwardt-Krummrich <schwardt> |
Severity: | normal | ||
Priority: | P5 | CC: | najjar, schwardt, walkenhorst |
Version: | UNSTABLE | ||
Target Milestone: | UCS 4.0-x | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 34839, 38803 |
Description
Jan Christoph Ebersbach
2015-05-10 09:17:36 CEST
A boolean UCRV mail/cyrus/imap/allowplaintext was added with the default "yes" (to preserve current behaviour). Commit: 61214 Package: component/dovecot/univention-mail-cyrus YAML: component/dovecot/doc/2015-06-12-univention-mail-cyrus.yaml r61658 fixes the UCRV description. (In reply to Daniel Tröder from comment #1) > A boolean UCRV mail/cyrus/imap/allowplaintext was added with the default > "yes" (to preserve current behaviour). I think, we should switch to the more secure variant "no" and describe in one sentence in YAML file how to get back to old behaviour: "To restore the old behaviour set the UCR variable mail/cyrus/imap/allowplaintext to 'yes'." → REOPEN > Commit: 61214 > Package: component/dovecot/univention-mail-cyrus > YAML: component/dovecot/doc/2015-06-12-univention-mail-cyrus.yaml Memo: the YAML file is only a draft (not final scope, build version, ...). → version should be "[2]" → functional test was successful → see log below → OK DOVECOT: root@slave22b:~# ucr search dovecot.*allow mail/dovecot/auth/allowplaintext: <empty> sschwardt@dave:~$ telnet 10.200.18.22 143 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. ^] telnet> QUIT Connection closed. sschwardt@dave:~$ telnet 10.200.18.22 110 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. +OK Dovecot ready. USER mail5@nstx.local -ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections. QUIT +OK Logging out Connection closed by foreign host. sschwardt@dave:~$ telnet 10.200.18.22 4190 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags notify" "NOTIFY" "mailto" "SASL" "" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready." root@slave22b:~# ucr set mail/dovecot/auth/allowplaintext=yes Create mail/dovecot/auth/allowplaintext File: /etc/dovecot/conf.d/10-auth.conf File: /usr/sbin/univention-sa-learn Multifile: /etc/postfix/ldap.sharedfolderlocal root@slave22b:~# invoke-rc.d dovecot reload Reloading IMAP/POP3 mail server: dovecot. sschwardt@dave:~$ telnet 10.200.18.22 143 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ^] telnet> QUIT Connection closed. sschwardt@dave:~$ telnet 10.200.18.22 110 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. +OK Dovecot ready. USER mail5@nstx.local +OK PASS univention +OK Logged in. QUIT +OK Logging out. Connection closed by foreign host. sschwardt@dave:~$ telnet 10.200.18.22 4190 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags notify" "NOTIFY" "mailto" "SASL" "PLAIN LOGIN" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready." CYRUS: sschwardt@dave:~$ telnet 10.200.18.40 143 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN SASL-IR] master40 Cyrus IMAP v2.4.16-Debian-2.4.16-4.32.201410011447 server ready a01 login mail5@nstx.local univention a01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] User logged in SESSIONID=<cyrus-19828-1417022520-1> sschwardt@dave:~$ telnet 10.200.18.40 110 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. +OK master40 Cyrus POP3 v2.4.16-Debian-2.4.16-4.32.201410011447 server ready <13682781212978981873.1417022468@master40> USER mail5@nstx.local +OK Name is a valid mailbox PASS univention +OK Mailbox locked and ready SESSIONID=<cyrus-19709-1417022468-1> sschwardt@dave:~$ telnet 10.200.18.40 4190 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. "IMPLEMENTATION" "Cyrus timsieved v2.4.16-Debian-2.4.16-4.32.201410011447" "SASL" "PLAIN" "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" "STARTTLS" "UNAUTHENTICATE" OK root@master40:~# ucr set mail/cyrus/auth/allowplaintext=no Create mail/cyrus/auth/allowplaintext File: /etc/imapd/imapd.conf Module: ox-config root@master40:~# invoke-rc.d cyrus-imapd restart Restarting Cyrus IMAPd: cyrmaster. sschwardt@dave:~$ telnet 10.200.18.40 143 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] master40 Cyrus IMAP v2.4.16-Debian-2.4.16-4.32.201410011447 server ready a01 login mail5@nstx.local univention a01 NO Login only available under a layer sschwardt@dave:~$ telnet 10.200.18.40 110 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. +OK master40 Cyrus POP3 v2.4.16-Debian-2.4.16-4.32.201410011447 server ready <6832993858002959923.1417022823@master40> USER mail5@nstx.local -ERR [AUTH] USER command only available under a layer sschwardt@dave:~$ telnet 10.200.18.40 4190 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. "IMPLEMENTATION" "Cyrus timsieved v2.4.16-Debian-2.4.16-4.32.201410011447" "SASL" "" "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" "STARTTLS" "UNAUTHENTICATE" OK AUTHENTICATE "PLAIN" "AG1haWw1QG5zdHgubG9jYWwAdW5pdmVudGlvbg==" NO "Authentication Error" QUIT Connection closed by foreign host. * Default setting of mail/cyrus/imap/allowplaintext changed to false in commit 61836. A warning message is printed only once for an update. * YAML version fixed in r61837. (In reply to Daniel Tröder from comment #4) > * Default setting of mail/cyrus/imap/allowplaintext changed to false in > commit 61836. A warning message is printed only once for an update. > * YAML version fixed in r61837. OK → VERIFIED |