Avelsieve 1.9.7 and Dovecot/TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Avelsieve 1.9.7 and Dovecot/TLS

Michael Firnau

Hi,

i'm installing a new mail server for our faculty and want to use
the squirrelmail plugin 'avelsieve' (1.9.7). As documented on the
dovecot wiki there is a problem in the STARTTLS code and i
found a solution (that works for my installation):

i've traced the server output in 'get_response' and instead of
a script list i saw "IMPLEMENTATION". So i took a look at
the file 'managesieve.lib.php' and the STARTTLS code:

    /* If we allow STARTTLS, use it */
    if($this->capabilities['starttls'] === true && function_exists('stream_socket_enable_crypto') === true) {
        fputs($this->fp,"STARTTLS\r\n");
        $starttls_response = $this->line=fgets($this->fp,1024);
        if(stream_socket_enable_crypto($this->fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT) == false) {
            $this->error=EC_UNKNOWN;
            $this->error_raw = "Failed to establish TLS connection.";
            return false;
        } else {
            $this->loggedin = true;
           
            // RFC says that we need to ask for the capabilities again
            $this->sieve_get_capability();
            $this->loggedin = false;
        }  
    }
     
With my limited time and debugging possibilities i've found that the
dovecot managesieve server seems to send capability lines 'automagically'.
I've added a few "debugging" lines

    /* If we allow STARTTLS, use it */
    if($this->capabilities['starttls'] === true && function_exists('stream_socket_enable_crypto') === true) {
        fputs($this->fp,"STARTTLS\r\n");
        $starttls_response = $this->line=fgets($this->fp,1024);
        if(stream_socket_enable_crypto($this->fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT) == false) {
            $this->error=EC_UNKNOWN;
            $this->error_raw = "Failed to establish TLS connection.";
            return false;
        } else {
            $this->loggedin = true;
           
$starttls_response = $this->line=fgets($this->fp,1024);
$errormsg .= _("MFI fgets ") . $starttls_response . '<br>';
print_errormsg($errormsg);

            // RFC says that we need to ask for the capabilities again
            $this->sieve_get_capability();
            $this->loggedin = false;
        }  
    }

and could read

        MFI fgets "IMPLEMENTATION" "dovecot"

what will throw the following 'sieve_get_capability' out of sync.
Then i've added a second 'fgets' and received:

        MFI fgets "SASL" "PLAIN"

Then i've added a third 'fgets' and received:

        MFI fgets "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"

Then i've added a fourth 'fgets' and received:

        MFI fgets OK "TLS negotiation successful."

Now the protocol should be in sync again and after removing the lines

        $errormsg .= _("MFI 1 fgets ") . $starttls_response . '<br>';
        print_errormsg($errormsg);

i could load my scripts back. So, adding four lines reading

        $starttls_response = $this->line=fgets($this->fp,1024);
        $starttls_response = $this->line=fgets($this->fp,1024);
        $starttls_response = $this->line=fgets($this->fp,1024);
        $starttls_response = $this->line=fgets($this->fp,1024);

solved the problem. I know this is not a sound "fix", but i hope to
help you with this.

One addendum: a "debugging" using my errormsg-printout of the output from

    /* If we allow STARTTLS, use it */
    if($this->capabilities['starttls'] === true && function_exists('stream_socket_enable_crypto') === true) {
        fputs($this->fp,"STARTTLS\r\n");
        $starttls_response = $this->line=fgets($this->fp,1024);
       
resulted in the response:

        MFI fgets OK "Begin TLS negotiation now."

what looks proper to me, but the negotiation makes the server send the four lines mentioned above.


Cheers

Reply | Threaded
Open this post in threaded view
|

Re: Avelsieve 1.9.7 and Dovecot/TLS

Steffen Kaiser-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 30 Apr 2008, Michael Firnau wrote:

Hello,

> With my limited time and debugging possibilities i've found that the
> dovecot managesieve server seems to send capability lines 'automagically'.

http://tools.ietf.org/html/draft-martin-managesieve-08#section-2.2

"After the TLS layer is established, the server MUST re-issue the
     capability results, followed by an OK response. This is necessary to
     protect against man-in-the-middle attacks which alter the
     capabilities list prior to STARTTLS. This capability result MUST NOT
     include the STARTTLS capability."

Bye,

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIGGG4VJMDrex4hCIRAs2hAJsHolfH3LE2R+4uMT5h+RHh+WBxNwCgyjcp
2fo/Z/tawNLqnwV2YvPU+kA=
=Os2c
-----END PGP SIGNATURE-----