On Thu, Jun 03, 2021 at 11:42:25AM -0400, Andrew D. Arenson wrote:
Update:

Setting both of the following solves the first problem: "Encrypted connection 
unavailable"

set ssl_starttls=no
set ssl_force_tls=no

1.13.0 changed $ssl_force_tls to default set. This was backed out in 1.13.4. However, I re-enabled it to default set in the 2.0.0 release.
Unencrypted connections will need to turn $ssl_force_tls off.

I'm guessing this is related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963107, but I don't know exactly how. Perhaps my use case of connecting to davmail is unusual, or maybe I'm doing something insecure with davmail that I'm unaware of. Thoughts about that are appreciated.

That bug report from a CVE fixed in 1.14.3. The fix was backported but then a regression was discovered and fixed in 1.14.5. I believe Debian did backport the regression fix too.

--
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA

Attachment: signature.asc
Description: PGP signature

Reply via email to