WebApp can't connect to Pigeonhole ManageSieve via StartTLS

[Smith4545]

Prerequisites

• Tried the most recent nightly build
• Checked if your issue is already reported.
• Answered all the questions in this template (Or provide a working crystal ball).

What happened?

When trying to connect to Pigeonhole (means actually clicking "Connect") on the WebApp no connection can be established.

As SieveSocket is instanciated here,

sieve/src/web/script/handler/websocket.py

Line 33 in dfeeac1

with SieveSocket(host, port) as sievesocket:

Python will run SieveSocket.__enter__ , which will run SieveSocket.connect.

The problem is probably caused by these lines in SieveSocket.connect:

sieve/src/web/script/sieve/sievesocket.py

Lines 41 to 42 in bf6f3a6

	if b'PLAIN' not in capabilities.get_capabilities()[b'"SASL"'][1:-1].split(b" "):
	raise Exception("Sasl Plain not supported")

PLAIN won't be present in Pigeonhole's capabilities if plain authentication is deactivated via disable_plaintext_auth = yes as stated in the Dovecot 2.x documentation. But this does not indicate that PLAIN wouldn't be available if a connection with StartTLS would've been established.

This can also be tested with telnet (see the example below).

Simply commenting out the check already solves the issue, because the class SieveSocket already implements all necessary steps for StartTLS and the corresponding function is even called in the next line of websocket.py.

I don't have a complete overview over all RFCs related to Sieve, so it could be that Pigeonhole just doesn't act RFC-compliant here.

What did you expect to happen?

The connection should have been established.

Logs and Traces

The log reads:

2023-03-03 12:55:54 WARNING [handle_message] webserver.py : Traceback (most recent call last):
  File "/opt/thsmi/sieve/sieve-0.6.1-web/script/webserver.py", line 65, in handle_message
    handler.handle_request(context, request)
  File "/opt/thsmi/sieve/sieve-0.6.1-web/script/handler/websocket.py", line 33, in handle_request
    with SieveSocket(host, port) as sievesocket:
  File "/opt/thsmi/sieve/sieve-0.6.1-web/script/sieve/sievesocket.py", line 22, in __enter__
    self.connect()
  File "/opt/thsmi/sieve/sieve-0.6.1-web/script/sieve/sievesocket.py", line 42, in connect
    raise Exception("Sasl Plain not supported")
Exception: Sasl Plain not supported

The mail-server runs Pigeonhole via Dovecot 2.3.20. Dovecot has disable_plaintext_auth = yes set. Therefore StartTLS must be used.

Connection via telnet:

$ > telnet mail.redacted.tld 4190
Trying 192.0.2.1...
Connected to mail.redacted.tld.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext editheader imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot"

Which Version

Include information about your system, server and most important if it is about the app or webextension.

• WebApp
• Operating system: Linux (Browser: Firefox/Chromium)
• The mail-server runs Pigeonhole via Dovecot 2.3.20. Dovecot has disable_plaintext_auth = yes set. Therefore StartTLS must be used.

[thsmi]

Your dovecot behaves exactly as specified. It is suggested that a server should not advertise weak authentication mechanisms when not secure.

In sieve sasl mechanisms are advertised after connect and after an successful starttls upgrade.

Thus it is a bug in the current implementation. It checks the SASL mechanisms after connect. Instead if should check if after the upgrade to a secure connection