Bug#494886: cyrus-clients-2.2: pop3test doesn't follow RFC - can't test dovecot pop3-server

Heiko Schlittermann hs at schlittermann.de
Tue Aug 12 21:28:23 UTC 2008 

Package: cyrus-clients-2.2
Version: 2.2.13-10
Severity: important
Tags: patch


Hello,

I think, I've found a bug in the imtest/pop3test utiltiy.
It's not correctly checking the server respons.

Let me explain some details:

I used pop3test to check a dovecot pop3-server

    S: +OK Dovecot ready.
    C: CAPA
    S: +OK
    S: CAPA
    S: TOP
    S: UIDL
    S: RESP-CODES
    S: PIPELINING
    S: STLS
    S: USER
    S: SASL PLAIN
    S: .
    C: USER heiko
    S: +OK
    Authentication failed. generic failure
    Connection closed.


Digging in the imtest.c I found (function auth_pop(void))
the following lines:

    1867     printf("C: USER %s\r\n", username);
    1868     prot_printf(pout,"USER %s\r\n", username);
    1869     prot_flush(pout);
    1870
    1871     if (prot_fgets(str, 1024, pin) == NULL) {
    1872         imtest_fatal("prot layer failure");
    1873     }
    1874
    1875     printf("S: %s", str);
    1876
    1877     if (strncasecmp(str, "+OK ", 4)) return IMTEST_FAIL;

The issue is about the "+OK ". Note the trailing space there, and the
check for 4 characters. Dovecot just sends "+OK\r\n", nothing else.
There's no space following the "+OK".

Reading RFC1939 (section 9):

      Note that with the exception of the STAT, LIST, and UIDL commands,
      the reply given by the POP3 server to any command is significant
      only to "+OK" and "-ERR".  Any text occurring after this reply
      may be ignored by the client.


So I'd guess the above test is wrong. (A similar test is done some lines
later checking the response to the "PASS ..." command. And probably even
more often.

The fix should be just something like this (in vi):

    %s/+OK ", 4/+OK", 3/g

in the imtest.c source.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.26.2.jumper
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages cyrus-clients-2.2 depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libdb4.2               4.2.52+dfsg-2     Berkeley v4.2 Database Libraries [
ii  libsasl2-2             2.1.22.dfsg1-8    Authentication abstraction library
ii  libssl0.9.8            0.9.8c-4etch3     SSL shared libraries

cyrus-clients-2.2 recommends no packages.

-- no debconf information

More information about the Pkg-Cyrus-imapd-Debian-devel mailing list