Page MenuHomePhorge
Create Task
Maniphest T864

`STARTTLS` capability on listeners (on port 143 or otherwise explicitly configured)
Closed, SpitePublic
Actions

Description

Client connections that want to use STARTTLS on a port 143 plaintext connection tend to require a STARTTLS capability to be presented on an otherwise plaintext connection, such that the connection can be explicitly upgraded.

Most IMAP client software actually require the capability to be present, or do not allow the connection's encryption to be negotiated.

Guam does not currently include the STARTTLS capability in its initial CAPABILITY response.

Details

Ticket Type
Task

Related Objects

Event Timeline

vanmeeuwen created this task.Nov 30 2015, 3:09 PM
vanmeeuwen raised the priority of this task from to 60.
vanmeeuwen updated the task description. (Show Details)
vanmeeuwen added a project: Guam.
vanmeeuwen moved this task to Backlog on the Guam board.
vanmeeuwen changed Ticket Type from Task to Task.
vanmeeuwen subscribed.
seigo moved this task from Backlog to Review on the Guam board.Nov 30 2015, 4:38 PM
vanmeeuwen assigned this task to seigo.Nov 30 2015, 4:47 PM
vanmeeuwen moved this task from Review to Backlog on the Guam board.Dec 16 2015, 7:29 PM
vanmeeuwen added a comment.Dec 16 2015, 7:34 PM

Not sure what commit(s) were related to this ticket for it to have been allowed to move to the Review column, but rG93aef46dc20861092df417703405545e1e0f76b8 with rEIc50001375e81662cae40914dcae9745273765f7b does not present STARTTLS LOGINDISABLED to the client;

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] kolab02.kolabsys.com \
    Cyrus IMAP 2.5.5.5-Kolab-2.5.5-5.1.el6.kolab_14 server ready
failure: STARTTLS not supported by the server!
vanmeeuwen added a comment.Dec 17 2015, 9:33 AM

In further troubleshooting, of course this happens while the frontend is on a STARTTLS port, but the backend is on an implicit SSL port -- the capabilities presented to the client match those of the server w/ implicit SSL.

vanmeeuwen added a comment.Dec 17 2015, 9:40 AM

Using a { port, 143 }, { tls, starttls } backend does present the client with the necessary capabilities and allows the client to use STARTTLS.

The initial capabilities are superfluous, however:

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE 
SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY X-NETSCAPE AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE 
X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE STARTTLS] kolab02.kolabsys.com Cyrus IMAP 2.5.5.5-Kolab-
2.5.5-5.1.el6.kolab_14 server ready

Expected capabilities response:

$ imtest -t "" -u vanmeeuwen -a vanmeeuwen kolab.kolabsys.com
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] kolab02.kolabsys.com Cyrus IMAP 2.5.5.5-Kolab-2.5.5-5.1.el6.kolab_14 server ready

First and foremost, the lack of AUTH= capabilities and the addition of LOGINDISABLED reflects the expectations (the rest is indeed just that, superfluous).

vanmeeuwen closed this task as Spite.Dec 17 2015, 10:32 AM
vanmeeuwen mentioned this in T928: Fix STARTTLS and implicit SSL.

Closed in favour of T928.

vanmeeuwen moved this task from Backlog to Done on the Guam board.Jan 18 2016, 11:59 AM