Enabling plain text login for UW IMAP
I recently had the fun task of upgrading IMAP on one of my older Linux servers. This server doesn’t get much use lately and I’m sad to say that I hadn’t upgraded the IMAP daemon since around 2000(IMAP4rev1 beta). Last night I noticed that I was unable to retrieve or delete any messages due to some IMAP error I’d never seen before “IMAP4rev1 server |crashing: header size inconsistent”. After some Googling, I turned up some results:
http://www.exim.org/pipermail/exim-users/Week-of-Mon-19991213/015732.html
http://marc.theaimsgroup.com/?l=bugtraq&m=87635124302928&w=2
It appeared that a particular message was causing the crash… more than likely due the fact that the server was not expecting a certain header in the message, generated a SIGABRT signal, and couldn’t handle it. I decided to download the latest version from the University of Washington website:
http://www.washington.edu/imap/
I quickly downloaded, compiled with make slx, installed and found out the authentication was failing. Tailing /var/log/maillog showed an entry like “Jun 18 00:47:29 host imapd[5668]: Login disabled”. As it turns out, clear text authentication (plain text username and password without encryption) is disabled by default in IMAP versions after 2002 due to RFC security recommendations. After numerous failed attempts to recompile with different PASSWDTYPE make options, I found out you can “easily” create a custom /etc/c-client.cf and add the line:
set disable-plaintext nil
I was disappointed to see that login was still failing, and telneting to the IMAP port still showd the LOGINDISABLED header. After getting frustrated, I decided to actually start reading the documentation more closely…. go figure 😉 I read the imaprc.txt file and was shocked/irritated to see this paragraph:
The very first line of the file MUST start with the exact string “I
accept the risk”. This ensures that you have checked the file for
correctness against this version of the IMAP toolkit.
Obviously I should have realized that the first line of the config file should have been “I accept the risk”. This is INSANELY STUPID AND OBSCURE, but sure enough everything worked after my file looked like this:
/etc/c-client.cf:
I accept the risk
set disable-plaintext nil
Lessons learned:
1. RTFM closely
2. Apparently adding silly statements like “I accept the risk” to a config file is going to educate users about security concerns, or limit UW’s liability. (sigh)
2 Responses
I have a slightly funny/coincidental follow-up to this post. I’m working on a development setup where my Apache httpd process is running as root (yes, it sounds bad but it’s not) and I discovered that Apache doesn’t like this as much as it used to.
If you change the default user and group to ‘root’, and restart it turns out you need to set the CFLAGS env variable to -DBIG_SECURITY_HOLE and re-compile!
😉
Now, I definitely see that as a much bigger problem than the IMAP issue, but I still find the mechanism for overriding the (arguably unwise) settings a bit hilarious.
In fact I personally liked the idea, because too many users don’t care about security. But current versions don’t require this first line anymore.