Package: avelsieve
Version: 1.9.9-2
Severity: normal
Guido Günther's analysis is only half the story so his patch is NOT the fix.
On fist connection dovecot (with TLS configured) will correctly NOT advertise
PLAIN authentication (unless you have configured it to allow non-TLS login).
avelsieve sees that STARTTLS is available and negotiates the encryption.
Dovecot then sends the capabilities AGAIN, but this time with PLAIN.
avelsieve lower cases "PLAIN" and stores "plain"
avelsieve then compares the stored "plain" with the list of UPPERCASE auth
mechanisms which is probably just "PLAIN"
As "plain" not equal "PLAIN" so no authtication can contiue and errors are
logged in dovecote log and on squirrelmail webinterface.
I have fixed this by patching
/usr/share/squirrelmail/plugins/avelsieve/include/managesieve.lib.php
to remove the offending strtolower() calls:
============
--- /usr/share/squirrelmail/plugins/avelsieve/include/managesieve.lib.php
2012-06-07 17:20:30.000000000 +0100
+++ /usr/share/squirrelmail/plugins/avelsieve/include/managesieve.lib.php.orig
2012-06-07 15:09:28.000000000 +0100
@@ -887,10 +887,10 @@
$this->modules = split(' ', $this->item[1]);
if(is_array($this->modules)){
foreach($this->modules as $m) {
- $this->capabilities[$cap_type][$m]=true;
+ $this->capabilities[$cap_type][strtolower($m)]=true;
}
} elseif(is_string($this->modules)) {
- $this->capabilites[$cap_type][$this->modules]=true;
+
$this->capabilites[$cap_type][strtolower($this->modules)]=true;
}
} else {
$this->capabilities["unknown"][]=$this->line;
============
managesieve.lib.php really needs refactoring to use the same parsing routine
for pre and post STARTTLS
to avoid this sort of bug.
If case insensitive matching is wanted then I'd suggest converting everything
to uppercase as that seems
to be what the code and protocol really expects.
Maintainer: please report upstream
Regards
Alex Owen
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages avelsieve depends on:
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii libjs-scriptaculous 1.8.3-1 JavaScript library for dynamic web
ii squirrelmail 2:1.4.21-2 Webmail for nuts
avelsieve recommends no packages.
Versions of packages avelsieve suggests:
pn cyrus-imapd-2.2 | dovecot-ima <none> (no description available)
-- Configuration Files:
/etc/squirrelmail/avelsieve-config.php changed [not included]
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
