Menu
▾
▴
#12 APOP for "Mail Fetch"
Hello! I'm using plugin "Mail Fetch v. 1.3.0" for
SquirrelMail, and I need APOP functionality. I look
inside of sources and seen code for APOP authentication
available but switched off.
It try it switch on, but authorization always fails.
After some investigation I found bug (I think,
functionality turned off because of it?) in
"parse_bunner()" function. It rips all zeros from
server banner. Let I illustrate:
Server returns: <9797.130518476@Soul.dyndns.org>
Banner function returns: <9797.13518476@Soul.dyndns.org>
After fixing this issue all works fine.
And also one thing, I think must be changed. You try
authenticating truth simple POP, then APOP
authentication fails. I think it isn't very good for
security reason. If user make mistake in one character
of password and it steeled when traveling truth
network, it isn't very hard to find real password.
Patch I made
Logged In: YES
user_id=508228
Suren, if you are still around, I'd be happy to test this with you and get it
straightened out. Please get in touch if interested... or anyone else?
Logged In: YES
user_id=70739
Paul, Yes I'd be happy to help you straight it out.
As I say before problem is "ripping zeroes from Server
banner". Also I think falling back from APOP to POP if
authentication fails, is security issue.
Both this thing fixed for version 1.3.0 in patch attached.
I can remade patch for latest version, if You want. You can
contact me by mail: "ds7fff@myrealbox.com" or sometimes by
ICQ: 79214249
Patch againist mail_fetch from sm-1.4.1
Logged In: YES
user_id=70739
Patch remaided againist mail_fetch included in Squirrelmail
1.4.1 (same problems).
Logged In: YES
user_id=70739
Sure, I'm here. I'll update patch to current version of
mail_fetch on weekend.
Logged In: YES
user_id=225877
There is no need to update it. Your patch is simple enough
and I can apply it to current code base.
I am planning to rewrite entire class in order to avoid
licensing issues and add tls/stls support.
Logged In: YES
user_id=225877
SquirrelMail 1.5.2cvs allows to select 'USER', 'APOP' or
'APOP or USER' authentication options. It also supports TLS
and STARTTLS encryptions, if used PHP version provides
needed functions.
Not sure if changes are acceptable in stable, because
previously used POP client library is replaced with new one
and I don't have any plans to implement TLS/STLS support in
library which might be incompatible with GPL.
Moving report to 1.4.x tracker, because plugin is bundled
with SquirrelMail and issue is fixed in HEAD.
Logged In: YES
user_id=508228
Tomas, did you remove your name because you are done with
1.5 implementation and will not be responsible for porting
any such changes to 1.4? If 1.5 supports this feature,
let's make a clear note about it here and close this, or
make it lowest priority, something to note that this issue
is resolved by upgrading...
Logged In: YES
user_id=225877
When APOP was implemented in 1.5.2cvs, I've replaced third
party POP fetch class with own POP client implementation.
Changes are complex because these classes are not
compatible. I don't think that they will be accepted by
stable team. I don't want to be responsible for tracker
which I can't close.
Changes might be pushed to stable only if stable team
developers evaluate plugins/mail_fetch/class.POP3.php
license (http://www.thewebmasters.net/php/POP3-1_0.tar.gz)
and find it incompatible with GPL.