Which version of UW IMAP is the DA imapd based on? Versions of UW IMAP prior to imap-2004g (released Sep 15 2005) apparently allow arbitrary code execution with a valid account on the server:

http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=true

or, more concisely:

http://secunia.com/advisories/17062/

Thanks,
Andy

2002d-11

Looks like we might be affected by this?

Latest in the file archive here is

da_imap-2004c1.tar.gz 01-Mar-2005 15:33 1.5M

Can anyone from the DA team comment on this? Is a new package going to be released?

Hello,

Yes, we'll provide an update within 72 hours.

John

There is no sign of the new imap file on the services yet. Has it been updated?

Jon

Hello,

/services/da_imap-2004g.tar.gz (http://files.directadmin.com/services/da_imap-2004g.tar.gz)

To install it, type:
wget http://files.directadmin.com/services/da_imap-2004g.tar.gz
tar xvzf da_imap-2004g.tar.gz
cd imap-2004g
./buildit
(press y to the question)
cd imapd
cp imapd /usr/sbin/imapd
chmod 755 /usr/sbin/imapdJohn

Would you also build a new imapd for freebsd users? Or could wo also build from that tar.gz

Originally posted by stffabi
Would you also build a new imapd for freebsd users? Or could wo also build from that tar.gz

use tarball. It isn't a RPM :s

Originally posted by DirectAdmin Support
Hello,

/services/da_imap-2004g.tar.gz (http://files.directadmin.com/services/da_imap-2004g.tar.gz)

To install it, type:
wget http://files.directadmin.com/services/da_imap-2004g.tar.gz
tar xvzf da_imap-2004g.tar.gz
cd imap-2004g.tar.gz
./buildit
(press y to the question)
cd imapd
cp imapd /usr/sbin/imapd
chmod 755 /usr/sbin/imapdJohn

For the copy/pasters :) A small fix ;)


wget http://files.directadmin.com/services/da_imap-2004g.tar.gz
tar xvzf da_imap-2004g.tar.gz
cd imap-2004g
./buildit
(press y to the question)
cd imapd
cp imapd /usr/sbin/imapd
chmod 755 /usr/sbin/imapd

Hello,

It should work for freebsd as well (As far as the "./buildit" command is concerned). I'm not positive about the libraries setup in the Makefiles though, they might be different.

John

Originally posted by DirectAdmin Support
Hello,

/services/da_imap-2004g.tar.gz (http://files.directadmin.com/services/da_imap-2004g.tar.gz)

To install it, type:
wget http://files.directadmin.com/services/da_imap-2004g.tar.gz
tar xvzf da_imap-2004g.tar.gz
cd imap-2004g.tar.gz
./buildit
(press y to the question)
cd imapd
cp imapd /usr/sbin/imapd
chmod 755 /usr/sbin/imapdJohn
in debian just run this before the build:
apt-get install libkrb5-dev

[root@www0 imap-2004g]# ./buildit
make sslnone
make[1]: Entering directory `/root/imap-2004g'
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Building in NON-COMPLIANCE with RFC 3501 security requirements:
+ Non-compliant:
++ TLS/SSL encryption is NOT supported
++ Unencrypted plaintext passwords are permitted

Is there a reason this is "non compliant" ?

freebsd users do this before the buildit step, this had the same issue as the last version of the imapd src package.

nano Makefile
line 253 (DA added this line so not sure of side affects of this but hasnt caused me harm yet)
comment out line 253

./buildit
(press y to the question)
cd imapd
cp imapd /usr/sbin/imapd
chmod 755 /usr/sbin/imapd

Hi, I get the following error message so I cannot install under Freebsd 5.3
`cat ../c-client/CCTYPE` -I../c-client `cat ../c-client/CFLAGS` -o mtest mtest.o ../c-client/c-client.a `cat ../c-client/LDFLAGS`
/usr/bin/ld: cannot find -ldl
*** Error code 1

Stop in /pic/da/imap-2004g/mtest.
*** Error code 1

Stop in /pic/da/imap-2004g.
*** Error code 1

Stop in /pic/da/imap-2004g.

Can somebody please tell me how to fix it?

Thanks

I had to do a:

make clean
./buildit

in the imapd directory before success.

HTH

Jon

Originally posted by hostpc.com
[root@www0 imap-2004g]# ./buildit
make sslnone
make[1]: Entering directory `/root/imap-2004g'
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Building in NON-COMPLIANCE with RFC 3501 security requirements:
+ Non-compliant:
++ TLS/SSL encryption is NOT supported
++ Unencrypted plaintext passwords are permitted

Is there a reason this is "non compliant" ?

See docs/SSLBUILD from the tarball for more information.

You can try editing buildit to build to support SSL:


#!/bin/sh
OS=`uname`
if [ "$OS" = "FreeBSD" ]; then
make bsf SSLTYPE=unix
else
make slx SSLTYPE=unix
fi

or be fully "compliant":


#!/bin/sh
OS=`uname`
if [ "$OS" = "FreeBSD" ]; then
make bsf SSLTYPE=unix.nopwd
else
make slx SSLTYPE=unix.nopwd
fi

But you may want to be prepared to support users that will no longer be able to login with unencrypted passwords.

(We're using the former of the two buildits listed above to support SSL for our users.)

Andy

Originally posted by moises2k
Hi, I get the following error message so I cannot install under Freebsd 5.3
`cat ../c-client/CCTYPE` -I../c-client `cat ../c-client/CFLAGS` -o mtest mtest.o ../c-client/c-client.a `cat ../c-client/LDFLAGS`
/usr/bin/ld: cannot find -ldl
*** Error code 1

Stop in /pic/da/imap-2004g/mtest.
*** Error code 1

Stop in /pic/da/imap-2004g.
*** Error code 1

Stop in /pic/da/imap-2004g.

Can somebody please tell me how to fix it?

Thanks

did you bother to read my post the one above yours :)

John thanks as always for your timely update. One question, currently I'm using stunnel to provide secure IMAP. If I make the changes to the buildit script to enable SSL, I will not need stunnel anymore for IMAP correct?

Thanks,
Dustin

Hello,

I believe you'd leave everything as is. With the imap binary supporting ssl, it would enable users to connect to port 143 in plaintext, then use the new "STARTLS" method to switch the connection over to ssl (I believe). This saves needing a 2nd port for ssl. Both would work on 143. The way you've got it (likely) with ssl on a 2nd port would be fine as is. The imap binary would be plaintext on both ports (as far as the binary is concerned), but the stunnel would do the ssl bit, right from the get-go on the ssl port.

John

Originally posted by DirectAdmin Support
I believe you'd leave everything as is. With the imap binary supporting ssl, it would enable users to connect to port 143 in plaintext, then use the new "STARTLS" method to switch the connection over to ssl (I believe). This saves needing a 2nd port for ssl. Both would work on 143. The way you've got it (likely) with ssl on a 2nd port would be fine as is. The imap binary would be plaintext on both ports (as far as the binary is concerned), but the stunnel would do the ssl bit, right from the get-go on the ssl port.

John

FWIW, we're running the same imapd binary out of inetd listening on the imap4 and imaps ports, without stunnel. On imap4 it's unencrypted initially, but offers STARTTLS; imaps is ssl only.

Andy

Thanks worked great. May want to do a /sbin/service xinetd stop before trying to copy the new imapd binary over the old one.

- Dustin

John can you comment on that line 253 please in the Makefile, not sure what you added it for and is it harmless to disable on a fbsd box?

Currently have not seen any negative affects, but other bsd users will probably want you to confirm it.

thanks.

/usr/bin/ld: /usr/local/imap-2004g/lib/libc-client.a(osdep.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
/usr/local/imap-2004g/lib/libc-client.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [libphp5.la] Error 1

This happens in php recompile
When trying to install under 64bit

freeBSD5.4

this error

.........................

# ./buildit
........................

........................


touch rebuild
sh -c 'rm -rf rebuild || true'
Building bundled tools...
cd mtest;make
`cat ../c-client/CCTYPE` -I../c-client `cat ../c-client/CFLAGS` -c mtest.c
`cat ../c-client/CCTYPE` -I../c-client `cat ../c-client/CFLAGS` -o mtest mtest.o ../c-client/c-client.a `cat ../c-client/LDFLAGS`
/usr/bin/ld: cannot find -ldl
*** Error code 1

Stop in /usr/local/directadmin/scripts/packages/imap-2004g/mtest.
*** Error code 1

Stop in /usr/local/directadmin/scripts/packages/imap-2004g.
*** Error code 1

Stop in /usr/local/directadmin/scripts/packages/imap-2004g.

i ve got a problem with squirrelmail ! i tried whael his update script but imap2004g isn't working

using fc4 and DA my question is where do i need to instaal the imap 2004g ?? in da or customapache or somewhere else??

btw can anybody give me the code for the display with server settings and imap settings?

I tried to install imap2004g (with SSLTYPE=unix.nopwd) , but apparently squirrelmail does not support STARTTLS.

what are the downsides of going back to SSLTYPE=unix?

Is there another way to support Squirrelmail?

Answer to any of these will help..