FS#45851 - [imap] Adjust build options for IPv6 support and compliance, add systemd support

Attached to Project: Arch Linux
Opened by Thomas Bächler (brain0) - Friday, 31 July 2015, 07:24 GMT
Last edited by Toolybird (Toolybird) - Thursday, 13 April 2023, 22:32 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The imap package in extra currently does not support IPv6. When running over inetd and receiving IPv6 connections, it cannot detected the port it is running on and thus does not know when to enable or disable SSL.

We also currently build with SSLTYPE=unix. This allows plaintext passwords over an unencrypted connection. This violates RFC 3501.

To fix these problems, I suggest to change the build options to:

SPECIALAUTHENTICATORS=ssl SSLTYPE=nopwd IP=6

It would also be nice to have systemd services. For example:
imapd.socket:

[Unit]
Description=IMAP socket

[Socket]
ListenStream=993
Accept=yes

[Install]
WantedBy=multi-user.target

imapd@.socket:

[Unit]
Description=IMAP server instance %I

[Service]
ExecStart=-/usr/bin/imapd
StandardInput=socket
StandardError=journal

NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE

[Install]
Also=imapd.socket
This task depends upon

Closed by  Toolybird (Toolybird)
Thursday, 13 April 2023, 22:32 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Pkg no longer exists in the repos.
Comment by Jan de Groot (JGC) - Friday, 31 July 2015, 12:39 GMT
"We also currently build with SSLTYPE=unix. This allows plaintext passwords over an unencrypted connection. This violates RFC 3501."

Lots of imap servers allow to login with plaintext credentials over a plaintext connection. Most servers allow to disable this, if imapd needs a recompile for that, you're free to recompile imap with that option, but we should not break existing setups by enforcing encryption.

Personally I would not even recommend using this package as an imap server, main reason why it exists is for the IMAP C client.

Loading...