#12 APOP for "Mail Fetch"

open
nobody
None
3
2006-09-09
2002-06-29
No

Hello! I'm using plugin "Mail Fetch v. 1.3.0" for
SquirrelMail, and I need APOP functionality. I look
inside of sources and seen code for APOP authentication
available but switched off.

It try it switch on, but authorization always fails.
After some investigation I found bug (I think,
functionality turned off because of it?) in
"parse_bunner()" function. It rips all zeros from
server banner. Let I illustrate:
Server returns: <9797.130518476@Soul.dyndns.org>
Banner function returns: <9797.13518476@Soul.dyndns.org>

After fixing this issue all works fine.

And also one thing, I think must be changed. You try
authenticating truth simple POP, then APOP
authentication fails. I think it isn't very good for
security reason. If user make mistake in one character
of password and it steeled when traveling truth
network, it isn't very hard to find real password.

Discussion

  • Suren A. Chilingaryan

    Patch I made

     
  • Paul Lesniewski

    Paul Lesniewski - 2003-05-08

    Logged In: YES
    user_id=508228

    Suren, if you are still around, I'd be happy to test this with you and get it
    straightened out. Please get in touch if interested... or anyone else?

     
  • Suren A. Chilingaryan

    Logged In: YES
    user_id=70739

    Paul, Yes I'd be happy to help you straight it out.
    As I say before problem is "ripping zeroes from Server
    banner". Also I think falling back from APOP to POP if
    authentication fails, is security issue.

    Both this thing fixed for version 1.3.0 in patch attached.

    I can remade patch for latest version, if You want. You can
    contact me by mail: "ds7fff@myrealbox.com" or sometimes by
    ICQ: 79214249

     
  • Suren A. Chilingaryan

    Logged In: YES
    user_id=70739

    Patch remaided againist mail_fetch included in Squirrelmail
    1.4.1 (same problems).

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2006-08-13
    • assigned_to: nobody --> tokul
     
  • Suren A. Chilingaryan

    Logged In: YES
    user_id=70739

    Sure, I'm here. I'll update patch to current version of
    mail_fetch on weekend.

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2006-08-17

    Logged In: YES
    user_id=225877

    There is no need to update it. Your patch is simple enough
    and I can apply it to current code base.

    I am planning to rewrite entire class in order to avoid
    licensing issues and add tls/stls support.

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2006-08-26

    Logged In: YES
    user_id=225877

    SquirrelMail 1.5.2cvs allows to select 'USER', 'APOP' or
    'APOP or USER' authentication options. It also supports TLS
    and STARTTLS encryptions, if used PHP version provides
    needed functions.

    Not sure if changes are acceptable in stable, because
    previously used POP client library is replaced with new one
    and I don't have any plans to implement TLS/STLS support in
    library which might be incompatible with GPL.

    Moving report to 1.4.x tracker, because plugin is bundled
    with SquirrelMail and issue is fixed in HEAD.

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2006-09-09
    • assigned_to: tokul --> nobody
     
  • Paul Lesniewski

    Paul Lesniewski - 2006-09-09

    Logged In: YES
    user_id=508228

    Tomas, did you remove your name because you are done with
    1.5 implementation and will not be responsible for porting
    any such changes to 1.4? If 1.5 supports this feature,
    let's make a clear note about it here and close this, or
    make it lowest priority, something to note that this issue
    is resolved by upgrading...

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2006-09-09

    Logged In: YES
    user_id=225877

    When APOP was implemented in 1.5.2cvs, I've replaced third
    party POP fetch class with own POP client implementation.
    Changes are complex because these classes are not
    compatible. I don't think that they will be accepted by
    stable team. I don't want to be responsible for tracker
    which I can't close.

    Changes might be pushed to stable only if stable team
    developers evaluate plugins/mail_fetch/class.POP3.php
    license (http://www.thewebmasters.net/php/POP3-1_0.tar.gz)
    and find it incompatible with GPL.

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2006-09-09
    • priority: 5 --> 3
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks