Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
uw-imap problems with latest emerge 2004c-r3
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Paul Forgey
n00b
n00b


Joined: 11 Dec 2003
Posts: 51

PostPosted: Fri Mar 04, 2005 1:35 am    Post subject: uw-imap problems with latest emerge 2004c-r3 Reply with quote

Just just emerged the latest uw-imapd 2004c-r3 a few minutes ago. It no longer logs users in unless the connection is over ssl. When failing the authentication, it logs "account disabled". It does this for _all_ accounts which are able to authenticate just fine for other services including telnet, ftp and ssh. Again, imap ssl connections work.

How do I either fix this or back out of the latest update?
Back to top
View user's profile Send private message
wokan
n00b
n00b


Joined: 07 Mar 2003
Posts: 7
Location: Arizona

PostPosted: Fri Mar 04, 2005 3:36 am    Post subject: uw-imap problems with 2004c-r3 Reply with quote

I'm experiencing the same difficulties. Originally I didn't think it was imap causing the problem as only my wife was having difficulty getting her email. I was using it just fine from work, but at work I access my home imap via SSL.
_________________
Digital Wokan
Tribal Mage of the Electronics Age
Back to top
View user's profile Send private message
Paul Forgey
n00b
n00b


Joined: 11 Dec 2003
Posts: 51

PostPosted: Fri Mar 04, 2005 4:31 am    Post subject: Re: uw-imap problems with 2004c-r3 Reply with quote

wokan wrote:
I'm experiencing the same difficulties. Originally I didn't think it was imap causing the problem as only my wife was having difficulty getting her email. I was using it just fine from work, but at work I access my home imap via SSL.


That's exactly how I found the problem too! My wife called me from work. Since I use SSL on my laptop to my imap server from work, it took me a little while to catch on to what was going on.

Found it: re-emerge with clearpasswd in USE.
Back to top
View user's profile Send private message
j-m
Retired Dev
Retired Dev


Joined: 31 Oct 2004
Posts: 975

PostPosted: Fri Mar 04, 2005 9:01 am    Post subject: Reply with quote

Quote:

03 Mar 2005; Andrej Kacian <ticho@gentoo.org> uw-imap-2004c-r1.ebuild,
+uw-imap-2004c-r3.ebuild:
Revision bump to restrict cleartext LOGIN to SSL/TLS sessions by default.
Introduced "clearpasswd" USE flag to toggle this restriction. Suggested by
Tero Pelander <tpeland@tkukoulu.fi> in bug #83797. 2004c-r1 stable on x86.


:idea:
Back to top
View user's profile Send private message
andyjeffries
Apprentice
Apprentice


Joined: 14 Apr 2004
Posts: 196
Location: Stevenage, Herts, UK

PostPosted: Fri Mar 04, 2005 9:21 am    Post subject: Reply with quote

j-m wrote:
Quote:

03 Mar 2005; Andrej Kacian <ticho@gentoo.org> uw-imap-2004c-r1.ebuild,
+uw-imap-2004c-r3.ebuild:
Revision bump to restrict cleartext LOGIN to SSL/TLS sessions by default.
Introduced "clearpasswd" USE flag to toggle this restriction. Suggested by
Tero Pelander <tpeland@tkukoulu.fi> in bug #83797. 2004c-r1 stable on x86.


:idea:


What a twatty change!!! I'm sorry and I know it's a better idea, but you can't make a change like that that breaks current installations!

I'm really glad I'm using Gentoo on servers now!!!

:(
_________________
Developer of gPHPEdit
A8N-SLI/AMD X2 4800+/2GB Dual Channel/GF 7900GT OC
Back to top
View user's profile Send private message
j-m
Retired Dev
Retired Dev


Joined: 31 Oct 2004
Posts: 975

PostPosted: Fri Mar 04, 2005 9:24 am    Post subject: Reply with quote

Always read the Changelog before ugprading server packages... At least do

Code:

emerge -aDpvl [package_name]


Quote:

--changelog (-l)
Use this in conjunction with the --pretend action. This will show the ChangeLog entries for all the packages
that will be upgraded.
Back to top
View user's profile Send private message
andyjeffries
Apprentice
Apprentice


Joined: 14 Apr 2004
Posts: 196
Location: Stevenage, Herts, UK

PostPosted: Fri Mar 04, 2005 9:31 am    Post subject: Reply with quote

j-m wrote:
Always read the Changelog before ugprading server packages... At least do
Code:

emerge -aDpvl [package_name]


I still disagree with making a change like that to a package that's working. I guess something like a new use flag of "clearonlyssl" would be better.

Am I the only one that feels there is something inherently wrong in making a change to a long standing package like this that breaks current functionality?

Cheers,


Andy
_________________
Developer of gPHPEdit
A8N-SLI/AMD X2 4800+/2GB Dual Channel/GF 7900GT OC
Back to top
View user's profile Send private message
j-m
Retired Dev
Retired Dev


Joined: 31 Oct 2004
Posts: 975

PostPosted: Fri Mar 04, 2005 9:33 am    Post subject: Reply with quote

OK, so disagree. Otherwise, "clearonlyssl" makes no sense. You would have no problems if you read the changelog before upgrading.
Back to top
View user's profile Send private message
GamesBond
n00b
n00b


Joined: 15 Mar 2004
Posts: 66
Location: Amsterdam

PostPosted: Fri Mar 04, 2005 12:13 pm    Post subject: Reply with quote

I don't agree, this just breaks stuff that has been working before.

At *least* the ebuild should have paused and have given a prompt to continue with a warning

This sucks
Back to top
View user's profile Send private message
j-m
Retired Dev
Retired Dev


Joined: 31 Oct 2004
Posts: 975

PostPosted: Fri Mar 04, 2005 12:21 pm    Post subject: Reply with quote

GamesBond wrote:
I don't agree, this just breaks stuff that has been working before.

At *least* the ebuild should have paused and have given a prompt to continue with a warning

This sucks


It does:

Code:

pkg_setup() {
        echo
        if use clearpasswd; then
                ewarn "Building uw-imap with cleartext LOGIN allowed. Disable \"clearpasswd\" USE"
                ewarn "flag to restrict cleartext LOGIN to SSL/TLS sessions only."
        else
                if use ssl; then
                        ewarn "Building uw-imap with cleartext LOGIN restricted to SSL/TLS sessions only."
                        ewarn "Enable \"clearpasswd\" flag to allow unrestricted cleartext LOGIN."
                else
                        ewarn "You have disabled SSL for uw-imap, but want cleartext passwords restricted to"
                        ewarn "SSL/TLS sessions only. Either enable \"ssl\" USE flag, or \"clearpasswd\""
                        ewarn "USE flag."
                        die "Impossible USE flag combination, see above message"
                fi
        fi
Back to top
View user's profile Send private message
ticho
Tux's lil' helper
Tux's lil' helper


Joined: 23 Oct 2003
Posts: 138
Location: yes

PostPosted: Fri Mar 04, 2005 5:18 pm    Post subject: Reply with quote

All I can say to this, is that those who blindly update production services deserve what they get. When upgrading a package, one really should have a look at what exactly is new, and decide to upgrade or not to upgrade. Gentoo even provides you with convenient ways to ignore a certain upgrade (package.mask).

Another thing - ewarn/einfo messages are meant to be read by the admin, and that's *YOU*.
_________________
The more you depend on forces outside yourself, the more you are dominated by them.
Back to top
View user's profile Send private message
tparker
Tux's lil' helper
Tux's lil' helper


Joined: 03 Oct 2002
Posts: 85

PostPosted: Sat Mar 05, 2005 4:24 am    Post subject: Reply with quote

uw-imap isn't the only example of something suddenly 'broken' due to an upgrade - I frequently have problems with suidperl, and also other packages (which ones evade me at this minute). Yes, I agree that the changelog is there for a reason and should be read - except a further problem exists where certain packages (such as perl) are often automatically upgraded as a dependency to something else. It is very time consuming / troublesome each time to check through a whole list of dependencies just to upgrade one package - especially when half the time updates are only revision updates. (I often wonder how much electricity worldwide is wasted on re-compilation of packages en-masse by Gentoo systems).

I think a better way of securing a package would not be to change a mechanism over night, but to keep things as they are but supporting a USE flag that would compile a more secure version. Right now it's the other way round - users are forced to use the secure version unless they specify otherwise.

BTW , "emerge -aDpvl uw-imap" doesn't show me any change log. All I get is:

Quote:
These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild R ] net-mail/uw-imap-2004c-r3 -clearpasswd -debug +ipv6 -kerberos -pic +ssl 0 kB


Terence
Back to top
View user's profile Send private message
langthang
Retired Dev
Retired Dev


Joined: 27 Nov 2003
Posts: 620

PostPosted: Sat Mar 05, 2005 5:11 am    Post subject: Reply with quote

tparker wrote:
BTW , "emerge -aDpvl uw-imap" doesn't show me any change log.

because you already *upgraded*
Code:
These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild R ] net-mail/uw-imap-2004c-r3 -clearpasswd -debug +ipv6 -kerberos -pic +ssl 0 kB

from `man emerge`
Code:
       --changelog (-l)
              Use this in conjunction with the --pretend  action.   This  will
              show  the  ChangeLog  entries  for all the packages that will be
              upgraded.

_________________
Gentoo users' map
Back to top
View user's profile Send private message
j-m
Retired Dev
Retired Dev


Joined: 31 Oct 2004
Posts: 975

PostPosted: Sat Mar 05, 2005 10:32 am    Post subject: Reply with quote

tparker wrote:
It is very time consuming / troublesome each time to check through a whole list of dependencies just to upgrade one package - especially when half the time updates are only revision updates. (I often wonder how much electricity worldwide is wasted on re-compilation of packages en-masse by Gentoo systems).


Have you already heard about revdep-rebuild and perl-cleaner? :idea:
Back to top
View user's profile Send private message
labrador
Guru
Guru


Joined: 04 Oct 2003
Posts: 316

PostPosted: Mon Mar 07, 2005 11:22 am    Post subject: This is unorthodox Reply with quote

Can anyone name one other service where the default level of
security must be set through a USE variable?

If you want to build a tighter box by default, you set it up in a config file.
Disable imap by default and add a comment encouraging secure.

You should never require recompiling to achieve a security setting

There are many of us that don't need arm twisting to make tighter
security as it just doesn't apply. In my home LAN, I am not
concerned with someone picking up passwords over the one hop
between client and IMAP server. It just isn't going to happen.
I should be able to use as many clear text authentication
services as I feel like, without being forced to jump through
hoops like this that have no precedent.

As for watching emerge builds for ewarnings, this continues to
be a joke. No one watches this for the hours it sometimes
takes to build a dozen or two of updates. It is a stupid concept.
ewarnings have very little hope of being seen this way.
They should always go to emerge.log or some more useful
place.

Likewise, reading changelogs is seldom informative. It usually
says things like "version bump", "moved to stable", and
"fixed bug 34291". I'm not going to start scanning all that
background noise for some important notice involving an ebuild
that breaks all conventions of Gentoo practises.
Back to top
View user's profile Send private message
j-m
Retired Dev
Retired Dev


Joined: 31 Oct 2004
Posts: 975

PostPosted: Mon Mar 07, 2005 11:27 am    Post subject: Re: This is unorthodox Reply with quote

labrador wrote:

As for watching emerge builds for ewarnings, this continues to
be a joke. No one watches this for the hours it sometimes
takes to build a dozen or two of updates. It is a stupid concept.
ewarnings have very little hope of being seen this way.
They should always go to emerge.log or some more useful
place.


You don´t have to watch for hours... See http://dev.gentoo.org/~eldad/ :idea:

Also, I don´t see why reading changelog is seldom informative. It points you to the bugs where you can find out more... If you don´t care to go and find there, then don´t complain.
Back to top
View user's profile Send private message
tparker
Tux's lil' helper
Tux's lil' helper


Joined: 03 Oct 2002
Posts: 85

PostPosted: Mon Mar 07, 2005 11:47 am    Post subject: Reply with quote

Changelog is seldom informative because it's not particularly easy to read. When you do 'emerge -uDpvl' on a given package, chances are you would get an extremely long stream of output as there would be several prerequisites and packages that also need updating. For many people they can't even scroll back far enough to read all the output on default terminal settings (though it works fine on OS X) - and even if they could the output itself isn't exactly well formatted and easy to read.

It's all very well to say one should do their research thoroughly before upgrading, but if Linux is ever to become a successful operating system it at least needs to give the users confidence that what they're using isn't effectively just one huge 'beta test' - which is the impression I often get sometimes. I personally use a Mac - you can fiddle with the console for those who want to dig deep, yet you've got a nice GUI for the average user. Gnome/KDE just doesn't come close. But it's not even about that - as with Windows and FreeBSD, for all the deficiencies of Windows (and I do dislike Windows), at the very least it's a co-ordinated development effort. With Linux I can't help but get the feeling that changes are made to certain packages sometimes 'on a whim' by one or two (a small handful in any case) people just because 'they feel like it'.

On the whole, such paranoid security settings should not be implemented out of the blue in the first place - but if it really is necessary, then surely there must be a better way to inform the user. For changes that are known to cause people problems, there should be a clearly visible warning message (and preferably a pause) when such a package is being upgraded. Something that would be noticed even with a basic 'emerge -u package' command.

Right now, i've lost count how many times i've had headaches over suddenly not working daemons on my gentoo servers...

Terence


Last edited by tparker on Mon Mar 07, 2005 12:32 pm; edited 1 time in total
Back to top
View user's profile Send private message
TerminalAddict
Tux's lil' helper
Tux's lil' helper


Joined: 13 Feb 2003
Posts: 119

PostPosted: Mon Mar 07, 2005 11:58 am    Post subject: Reply with quote

one more vote for "this sucks"
Back to top
View user's profile Send private message
labrador
Guru
Guru


Joined: 04 Oct 2003
Posts: 316

PostPosted: Mon Mar 07, 2005 4:25 pm    Post subject: changelogs and enotice Reply with quote

Quote:
You don´t have to watch for hours... See http://dev.gentoo.org/~eldad/ Idea

Also, I don´t see why reading changelog is seldom informative. It points you to the bugs where you can find out more... If you don´t care to go and find there, then don´t complain.


enotice sounds great, but I'll wait until it becomes part of the OS.
I want something that is maintained, not a one-off that might become
obsolete or break more things. In other words, I should not have to
hack up a solution to something basic that everyone should be using
just as I don't have to hack emerge to run env-update and other things
at the end of an emerge build.

As for changelogs, there is often, too often, little information on why a new
release is made. I've given up looking there when I do my maintenance
as it only makes me frustrated to have spent the energy. It isn't always
associated with a bug report. This time it was, yes, but many other times
I've learned critical stuff by reading the GWN or by searching the forums.

This is what many Gentoo developers don't seem to understand. If you want to
see Gentoo boxes installed by the dozens in server rooms, you can't expect
sysadmins to go through the same efforts that you do in maintaining your
couple of dev machines.
Back to top
View user's profile Send private message
dopey
Apprentice
Apprentice


Joined: 10 Feb 2003
Posts: 235

PostPosted: Mon Mar 07, 2005 5:15 pm    Post subject: Reply with quote

ticho wrote:
All I can say to this, is that those who blindly update production services deserve what they get. When upgrading a package, one really should have a look at what exactly is new, and decide to upgrade or not to upgrade. Gentoo even provides you with convenient ways to ignore a certain upgrade (package.mask).

Another thing - ewarn/einfo messages are meant to be read by the admin, and that's *YOU*.


I agree that those who blindly update production servers deserve what they get. Additionally, I firmly believe gentoo is absolutely useless in a production server environment. Don't get me wrong, I love gentoo and think it's the best option I have as an enthusiast's and developer's operating system, but if you're thinking people should check every package that gets updated to determine why and if it's worth applying then gentoo is never ever going to make it in a production server environment. I run a server at work that's gentoo based. My use flags are extremely minimal. Even then, I update daily so I know what's going on. In a real production server environment, who's going to update daily? You're lucky to get weekly updates, monthly to quarterly are far far far more common. Have you ever seen how many packages get updated on a monthly basis (even with minimal USE flags)? Do you know how much time it'd take to go through every one of those packages, find out that the ChangeLogs are absolutely useless, and then have to read each ebuild and check the patches to see what was changed? It won't happen.

The goal of an OS/distribution in terms of production servers should be to make things EASIER to maintain, not harder and more time consuming.

Also, ewarn/einfo messages really useful when they scroll away. Yes, there are things an admin could do to take care of this, but once again this fits into the realm of, Gentoo should do it better.

Someone reported this nearly 2 1/2 years ago:
https://bugs.gentoo.org/show_bug.cgi?id=11359
And we still don't have this feature. IMO, this is a sign that Gentoo isn't anywhere NEAR ready for production server environments.

FYI, I have run production server environments in the past, I am currently a software developer for the architecture team of an enterprise level application (intended for deployment in enterprise production environments). I am familiar with what it takes to run a production server, and I also am familiar with the time availability many sysadmins have, and the lack of necessary skills amongst junior production sysadmins, and gentoo is seriously lacking. (On the other hand, as I said, I do run Gentoo in a "psuedo-production" environment).

Enough of my ranting, +1 vote for this sucks and Gentoo really needs a better way of announcing major changes like this.
Back to top
View user's profile Send private message
mattman206
n00b
n00b


Joined: 12 May 2004
Posts: 5

PostPosted: Sat Mar 12, 2005 2:33 am    Post subject: Reply with quote

I agree. +1 vote for "this stinks". At least Gentoo has good forums where problems like this can usually be fixed in less than a day.8O

I run a Gentoo server that has some important, although non-critical, services running like apache, exim, and uw-imapd.

When I update the server it usually goes something like this (right out of the book):
Code:

# emerge sync
# emerge -pv -u world
* shows list of packages that need updated, including uw-imap *
# emerge -u world


This last update stopped after the 2nd ebuild because of the mailbase-0.00-r8 problem that required manual moving of some /etc/pam.d/ files. But once I fixed that (like the error messages instructed) everything emerged without a hitch (so I thought.)

After I ran etc-update, I noticed that IMAP just stopped working. Originally I noticed that Squirrelmail wouldn't authenticate me, and had to get out telnet to port 143 and figure out why.

Nowhere was there an error message that the uw-imap package would be changing default functionality. I see a few posts that say to look at the changelog for each package. Unfortunately, this is simply not do-able. There were 30+ packages that needed updated, and sifting through the changelogs for each one would have taken hours.

There has to be a better way to do this. Perhaps a warning for USE flags that change the default operation of a package would do the trick? I don't know -- just throwing it out for discussion.
Back to top
View user's profile Send private message
DarrenM
l33t
l33t


Joined: 25 Apr 2002
Posts: 653
Location: Sydney, Australia

PostPosted: Tue Mar 15, 2005 8:32 pm    Post subject: Reply with quote

What a moronic use of USE flags. Apps should work by default when installed IMO. Having a USE flag for a higher level of security sure, but having to add one just to make it work is ridiculous.

I put this one up there with the classics like "dvd" and "cdparanoia".
Back to top
View user's profile Send private message
dopey
Apprentice
Apprentice


Joined: 10 Feb 2003
Posts: 235

PostPosted: Wed Mar 16, 2005 8:43 pm    Post subject: Reply with quote

DarrenM wrote:
What a moronic use of USE flags. Apps should work by default when installed IMO. Having a USE flag for a higher level of security sure, but having to add one just to make it work is ridiculous.

I put this one up there with the classics like "dvd" and "cdparanoia".


USE flags have definitely deviated from just specifying dependency information. Makes for confusion. I can understand the extra security desires, but in this case, crippling something for security sake is silly. Anyone who's trying to run an imap server SHOULD be capable of understand the security ramifications. If they can't, then well, they deserve to be bit.

mattman206 wrote:
Nowhere was there an error message that the uw-imap package would be changing default functionality. I see a few posts that say to look at the changelog for each package. Unfortunately, this is simply not do-able. There were 30+ packages that needed updated, and sifting through the changelogs for each one would have taken hours.


To defend the gentoo guys, there was an ewarn in the ebuild noting this. My biggest gripe is how horribly gentoo actually handles ewarn messages.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum