Thanks for the explanation, Kevin. Andy
On Thu, Jun 03, 2021 at 09:29:18AM -0700, Kevin J. McCarthy wrote: > On Thu, Jun 03, 2021 at 11:42:25AM -0400, Andrew D. Arenson wrote: > >Update: > > > >Setting both of the following solves the first problem: "Encrypted > >connection unavailable" > > > >set ssl_starttls=no > >set ssl_force_tls=no > > 1.13.0 changed $ssl_force_tls to default set. This was backed out > in 1.13.4. However, I re-enabled it to default set in the 2.0.0 > release. > > Unencrypted connections will need to turn $ssl_force_tls off. > > >I'm guessing this is related to > >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963107, but I > >don't know exactly how. Perhaps my use case of connecting to > >davmail is unusual, or maybe I'm doing something insecure with > >davmail that I'm unaware of. Thoughts about that are appreciated. > > That bug report from a CVE fixed in 1.14.3. The fix was backported > but then a regression was discovered and fixed in 1.14.5. I believe > Debian did backport the regression fix too. > > -- > Kevin J. McCarthy > GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA -- Andrew D. Arenson (he/him) H 317.964.0493 arenson (at) spatzel.net C 317.679.4669
