#296904 libc-client2002edebian: Trouble to set up plain passwords, config questions and readme.

#296904#5
Date:
2005-02-25 14:49:11 UTC
From:
To:
File /usr/share/doc/libc-client2002edebian/README.Debian.gz
have only part of needed information. I suggest
-    set disable-plaintext nil
+    I accept the risk
+    set disable-plaintext 0

why '0' not 'nil' ? Because in readme is redirect to imaprc.txt.gz ,
and in this file this option is explained as acceptable numeric argument,
not nil. I know, both values are correct, and cause the same effect,
I was tested it.

I suggest to add another question to configuration package.
Now package only ask for maildir support. I suggest add
another question, to enable plaintext passwords.
Why that method? Because after migrate from woody to sarge
by completly reinstalling, admin is typically in trouble what do
with pop3 and imap service. Simple copy config files not resolve this problem.
This question will not break IETF security recomendation, because ....
....... one of question in other packages, is enable shadow passwords :)


my config is:
file: /etc/c-client.cf
I accept the risk
set disable-plaintext 0


but debconf information (bottom this report),
present this as plaintext false. this is bug.
this option must be presented as true, when
'I accept the risk' is in config file, and
set disable-plaintext have value '0' or 'nil' .

#296904#10
Date:
2005-05-15 09:06:16 UTC
From:
To:
Hello,

From what I can see the bug 296904 (non-encrypted plaintext passwords)
is not considered Release Critical. I think that this will break things
severely for many people and that it therefore should be Release
Critical and fixed as soon as possible. I think that there should be a
question during install to allow non-encrypted plaintext passwords.
Do you agree and is this possible?

/Martin

#296904#15
Date:
2005-05-15 09:49:53 UTC
From:
To:
I disagree.

Messing with /etc/c-client.cf is considered unofficial by upstream, so
won't be supported as more than that by me either.

If you feel that this makes this software unsuited for your use, then
please look for alternatives.

For IMAP and POP3 daemon I strongly recommend using dovecot.

Unfortunately there is no alternative than libc-client as library behind
PHP :-(


And I believe the argument that shadow passwords should make the IETF
recommandations fulfilled is wrong: Shadow passwords has nothing to do
with sending passwords unencrypted on the wire.


Regards,

 - Jonas

#296904#20
Date:
2005-05-15 11:05:04 UTC
From:
To:
While this is true and I certainly see your point, the fact remains that
things broke severely when I upgraded. I did not receive any information
about what was going on, and when I tried dpkg-reconfigure I still
wasn't warned that this was going to happen.

And this is what makes this Release Critical. I totally buy your
explanation about the unofficial status of /etc/c-client.cf, but I
should be warned about it when I install the package, or do a
dpkg-reconfigure, perhaps in the form of a notice telling me that there
is important information to read if I'm upgrading and/or want to allow
non-encrypted plaintext logins.

Is this possible? Why or why not?

/Martin