Setting up IMAP on Linux? - Security

This is a discussion on Setting up IMAP on Linux? - Security ; On May 29, 4:19 pm, "Stachu 'Dozzie' K." wrote: > On 29.05.2007, Ramon F Herrera wrote: > > > On May 29, 3:01 pm, "Stachu 'Dozzie' K." > > >> Maybe they don't like autotools? > >> What kind of ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 31 of 31

Thread: Setting up IMAP on Linux?

  1. Re: Setting up IMAP on Linux?

    On May 29, 4:19 pm, "Stachu 'Dozzie' K."
    wrote:
    > On 29.05.2007, Ramon F Herrera wrote:
    >
    > > On May 29, 3:01 pm, "Stachu 'Dozzie' K." >
    > >> Maybe they don't like autotools?
    > >> What kind of accusations do you have
    > >> against their current build system?

    >
    > > In my experience everybody in the *ux universe loves autotools,

    >
    > Like Boost people? Like people using SCons? Like Postfix and Exim guys?
    >


    I have a word for you: standards. Widely used standards.

    -Ramon



  2. Re: Setting up IMAP on Linux?

    Ramon F Herrera writes:

    > On May 29, 5:47 pm, Sam wrote:
    >> Ramon F Herrera writes:
    >> > (2) Their source code is filled with insecure calls,

    >>
    >> No, it's not.
    >>
    >> > vulnerabilites to
    >> > buffer overflow attacks, such as 'gets' and 'tmpnam.'

    >>
    >> Here's a free clue for you, Einstein: not every call to gets() or tmpnam()
    >> is automatically insecure. Did you actually look at the code, and see what
    >> it does?

    >
    > You obviously don't believe in defensive programming.


    You obviously don't know programming.

    > Dovecot builds and installs beautifully under autoconfig and doesn't


    That's "autoconf", not "autoconfig". And "autoconf" is not something that
    you'd install "under".



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD4DBQBGXLg8x9p3GYHlUOIRAif/AJiLkCa1M9QxJ3pkLSyTBgPCUjB4AJ9pcnZO
    7kmLkMnRWGe+LvnolIj96g==
    =jbDn
    -----END PGP SIGNATURE-----


  3. Re: Setting up IMAP on Linux?

    On 29.05.2007, Ramon F Herrera wrote:
    > On May 29, 4:19 pm, "Stachu 'Dozzie' K."
    > wrote:
    >> On 29.05.2007, Ramon F Herrera wrote:
    >>
    >> > On May 29, 3:01 pm, "Stachu 'Dozzie' K." >
    >> >> Maybe they don't like autotools?
    >> >> What kind of accusations do you have
    >> >> against their current build system?

    >>
    >> > In my experience everybody in the *ux universe loves autotools,

    >>
    >> Like Boost people? Like people using SCons? Like Postfix and Exim guys?
    >>

    >
    > I have a word for you: standards. Widely used standards.


    I don't think the compilation method is really an subject to
    standarization. I saw some projects with non-autotools build system
    compiling without any problems on wide spectrum of systems and
    autotools-based projects which didn't compile on Debian or Slackware
    without hacking.

    The only people who see the build system are package maintainers and
    software developers (and some newbies who think they should compile all
    on their own instead of using packages). Far too little people to bother
    with standarization of build process.

    Don't get me wrong: it's not that I don't like autotools nor I think
    it's copmletely unnecessary. I just think it's not an argument that they
    standarize something.

    --
    Secunia non olet.
    Stanislaw Klekot

  4. Re: Setting up IMAP on Linux?

    On Tue, 29 May 2007, Sam wrote:
    > Here's a free clue for you, Einstein: not every call to gets() or tmpnam()
    > is automatically insecure. Did you actually look at the code, and see what
    > it does?


    This has been an amusing thread.

    He contacted me in email earlier today, offering to put me in touch with
    programmers in Romania to "fix" these issues...

    For what it's worth, the gets() issue is explained here:
    http://www.washington.edu/imap/IMAP-...ndex.html#3.22
    and the tmpnam() issue is explained here:
    http://www.washington.edu/imap/IMAP-...ndex.html#3.23

    What's particularly funny is that, in the very special way that it is
    used, tmpnam() actually *is* the correct call and the suggestion to use
    mkstemp() is wrong. What's more, that code is never called on a system
    that has /dev/urandom which is just about everything released in the past
    decade....

    -- Mark --

    http://staff.washington.edu/mrc
    Science does not emerge from voting, party politics, or public debate.
    Si vis pacem, para bellum.

  5. Re: Setting up IMAP on Linux?

    On Tue, 29 May 2007, Ramon F Herrera wrote:
    > (1) How come the folks at UofWash have no clue about ./configure and
    > autoconf?


    The origins of the UW IMAP toolkit go back 20 years, and it builds on many
    platforms in which autoconf does not stand a snowball's chance of running.
    Typically, after spinning wheels for several CPU minutes, the configure
    script aborts with "no space" or some other such message. On these
    systems, "using autoconf" is equivalent to "does not build".

    Many, if not all, of these platforms are either extinct or are nearing
    extinction. In some future release (to be determined) I intend to declare
    end-of-life on support of these platforms, and support will be limited to
    modern platforms that are ameniable to autoconf.

    This will undoubtably cause distress to people who still have some
    dinosaurs (I am amazed at the things that some people still run!) but
    they've gotten much longer support out of me than anyone else.

    > This kind of software gives Linux a bad name and plenty of
    > ammunition to Wintards.


    This is an amusing statement. Windows generally does not use configure
    scripts and compatibility between Windows releases within the Microsoft
    monoculture is often as great a difficulty as in the Linux/BSD/UNIX world.

    > The documentation says that I have to get OpenSSL. My box is a RHEL4,
    > I use ssh all the time, so I don't need any extra software for the SSL
    > encyption. Is this correct?


    RFC 3501, section 11.

    If you do not understand why this is required, you have far greater
    security concerns than whether or not there's a tmpnam() call in code that
    is never called on Linux.

    -- Mark --

    http://staff.washington.edu/mrc
    Science does not emerge from voting, party politics, or public debate.
    Si vis pacem, para bellum.

  6. Re: Setting up IMAP on Linux?

    On 2007-05-29, Ramon F Herrera wrote:
    >
    > Dovecot builds and installs beautifully under autoconfig and doesn't
    > give me worrisome error messages which are either:
    >
    > (1) Indication of sloppy programming.
    > (2) Presuming that the user should look at the code and understand
    > why the use of dangerous deprecated functions is unavoidable (I highly
    > doubt it) and for some mysterious reason justifiable.
    >
    > I always vote with my pocket and I just did it. Dovecot is my choice.


    Cool! I assume that means you're donating money to the Dovecot
    project:

    http://www.dovecot.org/donate.html

    --
    Grant Edwards grante Yow! I was making donuts
    at and now I'm on a bus!
    visi.com

  7. Re: Setting up IMAP on Linux?

    Ramon F Herrera writes:

    > (1) How come the folks at UofWash have no clue about ./configure and
    > autoconf? This kind of software gives Linux a bad name and plenty of
    > ammunition to Wintards.


    http://www.washington.edu/imap/IMAP-FAQs/index.html#6.1

    > (2) Their source code is filled with insecure calls, vulnerabilites to
    > buffer overflow attacks, such as 'gets' and 'tmpnam.' How hard can it
    > be to fix this?


    http://www.washington.edu/imap/IMAP-...ndex.html#3.22

    http://www.washington.edu/imap/IMAP-...ndex.html#3.23

    > Anyway, my concern is this:
    >
    > + Building in full compliance with RFC 3501 security
    > + requirements:
    > ++ TLS/SSL encryption is supported
    > ++ Unencrypted plaintext passwords are prohibited
    >
    > The documentation says that I have to get OpenSSL. My box is a RHEL4,
    > I use ssh all the time, so I don't need any extra software for the SSL
    > encyption. Is this correct?


    http://www.washington.edu/imap/docum.../SSLBUILD.html

    Cheers,

    - Joel

  8. Re: Setting up IMAP on Linux?

    On Tue, 29 May 2007 20:01:23 -0000, Grant Edwards
    wrote:

    >Dovecot always seems to be mentioned in a positive light when I
    >hear about it, so I'm thinking about giving it a try. I'm
    >currently using courier-imap, but I find its maildir directory
    >naming scheme really annoying.


    We have used Dovecot with maildir for a while for all our students. The
    advantage in our case was that most students still used POP3 so every
    time they connected and deleted one file the whole mailbox filed would
    have to be copied. Dovecot and maildir speeded up things greatly.

    --
    Peter Peters, senior netwerkbeheerder
    Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
    Universiteit Twente, Postbus 217, 7500 AE Enschede
    telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe

  9. Re: Setting up IMAP on Linux?

    On May 29, 10:29 pm, Grant Edwards wrote:
    > On 2007-05-29, Ramon F Herrera wrote:
    >
    >
    >
    > > Dovecot builds and installs beautifully under autoconfig and doesn't
    > > give me worrisome error messages which are either:

    >
    > > (1) Indication of sloppy programming.
    > > (2) Presuming that the user should look at the code and understand
    > > why the use of dangerous deprecated functions is unavoidable (I highly
    > > doubt it) and for some mysterious reason justifiable.

    >
    > > I always vote with my pocket and I just did it. Dovecot is my choice.

    >
    > Cool! I assume that means you're donating money to the Dovecot
    > project:
    >
    > http://www.dovecot.org/donate.html
    >



    Ever heard "Time is money"? You may replace "time" with "code" and a
    number of other things.

    -Ramon



  10. Re: Setting up IMAP on Linux?

    On 2007-05-30, Ramon F Herrera wrote:

    >>> Dovecot builds and installs beautifully under autoconfig and doesn't
    >>> give me worrisome error messages which are either:

    >>
    >>> (1) Indication of sloppy programming.
    >>> (2) Presuming that the user should look at the code and understand
    >>> why the use of dangerous deprecated functions is unavoidable (I highly
    >>> doubt it) and for some mysterious reason justifiable.

    >>
    >>> I always vote with my pocket and I just did it. Dovecot is my
    >>> choice.

    >>
    >> Cool! I assume that means you're donating money to the Dovecot
    >> project:
    >>
    >> http://www.dovecot.org/donate.html

    >
    > Ever heard "Time is money"? You may replace "time" with "code"
    > and a number of other things.


    So you're giving code and a number of other things to the
    Dovecot project to show your appreciation for their product?

    --
    Grant Edwards grante Yow! Your CHEEKS sit like
    at twin NECTARINES above
    visi.com a MOUTH that knows no
    BOUNDS --

  11. Re: Setting up IMAP on Linux?

    Ramon F Herrera wrote:
    > Answering your question: I might. I have donated the autoconfigure
    > process to a number of OSS projects, the most important being
    > Asterisk. This was hard cash ($800) that I paid to a world-class GNU
    > programmer from Romania. But alas, the Dovecot people are way ahead of
    > me. On the other hand I have given cash to a SIP project hoping that
    > they would add some specific code that interested me and they never
    > did. The lesson learned is: "give them code (hiring programmers
    > through Rent-A-Coder is pretty cheap), not cash".


    I send cash if I find a tool which does exactly what I want. I send code
    if I find a tool which does _almost_ exactly what I want

    Geoff

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2