#296904 libc-client2002edebian: Trouble to set up plain passwords, config questions and readme. #296904
- Package:
- src:uw-imap
- Source:
- uw-imap
- Submitter:
- Grzegorz SzyszÅo
- Date:
- 2015-06-30 05:12:08 UTC
- Severity:
- important
File /usr/share/doc/libc-client2002edebian/README.Debian.gz have only part of needed information. I suggest - set disable-plaintext nil + I accept the risk + set disable-plaintext 0 why '0' not 'nil' ? Because in readme is redirect to imaprc.txt.gz , and in this file this option is explained as acceptable numeric argument, not nil. I know, both values are correct, and cause the same effect, I was tested it. I suggest to add another question to configuration package. Now package only ask for maildir support. I suggest add another question, to enable plaintext passwords. Why that method? Because after migrate from woody to sarge by completly reinstalling, admin is typically in trouble what do with pop3 and imap service. Simple copy config files not resolve this problem. This question will not break IETF security recomendation, because .... ....... one of question in other packages, is enable shadow passwords :) my config is: file: /etc/c-client.cf I accept the risk set disable-plaintext 0 but debconf information (bottom this report), present this as plaintext false. this is bug. this option must be presented as true, when 'I accept the risk' is in config file, and set disable-plaintext have value '0' or 'nil' .
Hello, From what I can see the bug 296904 (non-encrypted plaintext passwords) is not considered Release Critical. I think that this will break things severely for many people and that it therefore should be Release Critical and fixed as soon as possible. I think that there should be a question during install to allow non-encrypted plaintext passwords. Do you agree and is this possible? /Martin
I disagree. Messing with /etc/c-client.cf is considered unofficial by upstream, so won't be supported as more than that by me either. If you feel that this makes this software unsuited for your use, then please look for alternatives. For IMAP and POP3 daemon I strongly recommend using dovecot. Unfortunately there is no alternative than libc-client as library behind PHP :-( And I believe the argument that shadow passwords should make the IETF recommandations fulfilled is wrong: Shadow passwords has nothing to do with sending passwords unencrypted on the wire. Regards, - Jonas
While this is true and I certainly see your point, the fact remains that things broke severely when I upgraded. I did not receive any information about what was going on, and when I tried dpkg-reconfigure I still wasn't warned that this was going to happen. And this is what makes this Release Critical. I totally buy your explanation about the unofficial status of /etc/c-client.cf, but I should be warned about it when I install the package, or do a dpkg-reconfigure, perhaps in the form of a notice telling me that there is important information to read if I'm upgrading and/or want to allow non-encrypted plaintext logins. Is this possible? Why or why not? /Martin