Re: [Evolution] Odd behaviour with 'Apply Filters'

From: Jeffrey Stedfast <fejj ximian com>
To: jamie+gmane silverdream org
Cc: evolution lists ximian com
Subject: Re: [Evolution] Odd behaviour with 'Apply Filters'
Date: Mon, 20 Sep 2004 11:18:39 -0400

some or all of your filters point to a non-ssl URI (this issue has been
resolved in 2.0), so you'll need to re-config your move/copy filters

Jeff

On Fri, 2004-09-17 at 17:42, Jamie L. Penman-Smithson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,

First things first, I'm running evolution 1.4.6 on Debian Sid running
kernel 2.6.8.

I recently changed my IMAP server configuration to reject plain text
logins. I told evolution to use CRAM-MD5 and always use SSL when
connecting, all seemed fine.

Now, when I attempt to re-filter messages in my INBOX - I can't. I get
repeatedly asked for a password. The problem appears to be because
evolution is making a connection to the server which is unencrypted,
apparently for the purposes of applying my filters, even though I
explicitly setup the account to use SSL *always*.

Debugging evolution shows this:

received: * OK lorien.silverdream.org Cyrus IMAP4
v2.1.16-IPv6-Debian-2.1.16-9 server ready sending : I00000 CAPABILITY
received: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS
LOGINDISABLED AUTH=DIGEST-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
received: I00000 OK Completed
sending : I00001 LOGIN xxx xxx
received: I00001 NO Login only available under a layer 
sending : I00002 LOGOUT
received: * BYE LOGOUT received

Not only this, evolution does not comply with RFC 2595 since it issues a
LOGIN command even though the LOGINDISABLED capability is present.

"The current IMAP protocol specification (RFC 2060) requires the
implementation of the LOGIN command which uses clear-text passwords. Many
sites may choose to disable this command unless encryption is active for
security reasons. An IMAP server MAY advertise that the LOGIN command is
disabled by including the LOGINDISABLED capability in the capability
response. Such a server will respond with a tagged "NO" response to any
attempt to use the LOGIN command."

"An IMAP server which implements STARTTLS MUST implement support for the
LOGINDISABLED capability on unencrypted connections."

** "An IMAP client which complies with this specification MUST NOT issue
the LOGIN command if this capability is present." **

"This capability is useful to prevent clients compliant with this
specification from sending an unencrypted password in an environment
subject to passive attacks. It has no impact on an environment subject to
active attacks as a man-in-the-middle attacker can remove this capability.
Therefore this does not relieve clients of the need to follow the privacy
mode recommendation in section 2.2. "

If I'm missing something, let me know...

Thanks,

-j

References:
- [Evolution] Odd behaviour with 'Apply Filters'
  - From: Jamie L. Penman-Smithson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]