On Fri, 2 Jul 2004, Ole wrote:
Using debian with sendmail+squrrilmail+(imap)
I have installed imap-2004 with the command make slx, because i want
to user the passwords in /ets/shadow so i guess this is the right make
option.
make ldb is more likely to be correct, since Debian has different
locations for the OpenSSL stuff; also this builds to use use PAM instead
of direct validation of the password.
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS LOGINDISABLED]
localhost IMAP4rev1 2004.350 at Fri, 2 Jul 2004 01:06:28 +0200 (CEST)
A01 login weel password
A01 NO LOGIN failed
The key is the LOGINDISABLED capability which appeared in the greeting.
If you refer to the imap-2004/docs/BUILD document, you'll find the
following text early on:
--
The default build is to build with SSL and disabling plaintext passwords
unless SSL/TLS encryption is in effect (SSLTYPE=nopwd). This means that
OpenSSL MUST be installed before building the IMAP toolkit. Please refer to
the SSLBUILD file for more information.
To build without SSL, add SSLTYPE=none to the make command line.
Note that doing so will produce an IMAP server which is NON-COMPLIANT with
current IESG security requirements.
--
Referring to the SSLBUILD file, we find quite a bit, including:
--
To build with SSL but allow plaintext passwords in insecure sessions,
add SSLTYPE=unix to the make command line.
--
Here, then, is the answer. You can't login because plaintext passwords
are disabled when you are not in an SSL or TLS encrypted session -- which
absolutely describes a TELNET session. Since you don't have any
non-plaintext password authentication mechanism (such as CRAM-MD5 or
GSSAPI) set up, you can't log in at all without negotiating encryption.
If you have a TLS-enabled client (such as Pine), you can try connecting to
your IMAP server from there and see if you can log in. Alternatively, you
can use any SSL-enabled client to connect to SSL IMAP on port 993 instead
of port 143. Of course, this all requires that you've set up your system
for SSL/TLS encryption as described in the SSLBUILD document.
Same thing happens if i try pop.
The POP3 server has the same issue. If you do the CAPA command, you will
see that the USER capability isn't listed, which is POP3's way of saying
LOGINDISABLED. Once again, you have to use an SSL/TLS enabled client.
I then tried make sl5, to use pam
sl5 isn't for PAM; it's for a very ancient version of Linux. For Linux
with PAM, you must use either lnp or one of the PAM-enabled variants (such
as ldb for Debian).
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
