Open Smith4545 opened 1 year ago
Your dovecot behaves exactly as specified. It is suggested that a server should not advertise weak authentication mechanisms when not secure.
In sieve sasl mechanisms are advertised after connect and after an successful starttls upgrade.
Thus it is a bug in the current implementation. It checks the SASL mechanisms after connect. Instead if should check if after the upgrade to a secure connection
Prerequisites
What happened?
When trying to connect to Pigeonhole (means actually clicking "Connect") on the WebApp no connection can be established.
As SieveSocket is instanciated here,
https://github.com/thsmi/sieve/blob/dfeeac10cb5cf65b08b31360229053bcdae50174/src/web/script/handler/websocket.py#L33
Python will run
SieveSocket.__enter__
, which will runSieveSocket.connect
.The problem is probably caused by these lines in
SieveSocket.connect
:https://github.com/thsmi/sieve/blob/bf6f3a6ca35ae8ad4614be2bc775785934ef7259/src/web/script/sieve/sievesocket.py#L41-L42
PLAIN
won't be present in Pigeonhole's capabilities if plain authentication is deactivated viadisable_plaintext_auth = yes
as stated in the Dovecot 2.x documentation. But this does not indicate thatPLAIN
wouldn't be available if a connection with StartTLS would've been established.This can also be tested with telnet (see the example below).
Simply commenting out the check already solves the issue, because the class
SieveSocket
already implements all necessary steps for StartTLS and the corresponding function is even called in the next line ofwebsocket.py
.I don't have a complete overview over all RFCs related to Sieve, so it could be that Pigeonhole just doesn't act RFC-compliant here.
What did you expect to happen?
The connection should have been established.
Logs and Traces
The log reads:
The mail-server runs Pigeonhole via Dovecot 2.3.20. Dovecot has
disable_plaintext_auth = yes
set. Therefore StartTLS must be used.Connection via telnet:
Which Version
Include information about your system, server and most important if it is about the app or webextension.
disable_plaintext_auth = yes
set. Therefore StartTLS must be used.