function login($username, $password, $host, $sm_caps = array(), &$errno, &$errmsg)
 {
     if (!isset($this->capability)) {
         $aCaps = $this->capability($sm_caps);
     } else {
         $aCaps = $this->capability;
     }
     /* supported authentication methods */
     $aAuth = array('CRAM-MD5' => false, 'DIGEST-MD5' => false);
     //,'PLAIN'=>false);
     $aResult = false;
     /* get the authentication methods */
     foreach ($aCaps as $key => $value) {
         if (substr($key, 0, 5) == 'AUTH=') {
             $aAuth[substr($key, 5)] = true;
         }
     }
     /* start with the save authentication methods */
     switch ($aAuth) {
         case $aAuth['DIGEST-MD5']:
             $query = "AUTHENTICATE DIGEST-MD5";
             $sTag = $this->sqimap_run_command($query);
             /* we expect a command continuation request with challenge*/
             $aRes = explode(' ', $this->_sqimap_process_stream($sTag));
             $challenge = $aRes[0];
             /* create the digest-md5 response */
             $reply = digest_md5_response($username, $password, $challenge, 'imap', $host);
             fputs($this->resource, $reply);
             /* we expect a command continuation request */
             $this->_sqimap_process_stream($sTag);
             /* need testing !! probably just check for the OK response */
             $aresult = $this->_sqimap_process_stream($sTag);
             if ($aResult['RESPONSE'] == 'OK') {
                 break;
             }
         case $aAuth['CRAM-MD5']:
             $query = "AUTHENTICATE CRAM-MD5";
             $sTag = $this->sqimap_run_command($query);
             /* we expect a command continuation request with challenge*/
             $aRes = explode(' ', $this->_sqimap_process_stream($sTag));
             $challenge = $aRes[0];
             /* create the cram-md5 reply */
             $reply = cram_md5_response($username, $password, $challenge, 'imap', $host);
             fputs($this->resource, $reply);
             /* need testing !! probably just check for the OK response */
             $aResult = $this->_sqimap_process_stream($sTag);
             if ($aResult['RESPONSE'] == 'OK') {
                 break;
             }
             //case $aAuth['PLAIN']:
         //case $aAuth['PLAIN']:
         default:
             if (isset($aCaps['LOGINDISABLED']) && $aCaps['LOGINDISABLED']) {
                 /* we need to do a STARTTLS which isn't supported on a normal socket */
                 /* error handling */
                 $errmsg = _("Notify your system administrator, no authentication mechanism found");
                 $errno = 0;
                 /* TODO fatal error */
                 return false;
             } else {
                 /* use normal login */
                 /* escaping  ??? */
                 $user = ereg_replace('(["\\])', '\\\\1', $username);
                 $pass = ereg_replace('(["\\])', '\\\\1', $password);
                 $query = 'LOGIN "' . $user . '" "' . $pass . '"';
                 $sTag = $this->sqimap_run_command($query);
                 $aResult = $this->_sqimap_process_stream($sTag);
             }
             break;
     }
     if ($aResult['RESPONSE'] == 'OK') {
         return $aResult;
     } else {
         /* error handling */
         if ($aResult) {
             $errmsg = $aResult['MESSAGE'];
             /* optional, check response for NO, BAD or BYE */
             $errno = 0;
             /* TODO */
         } else {
             /* something went terrible wrong, notify the user */
             /* TODO */
             /* optionally try to initiate a tls connection if PHP version > 4.3 */
             /* reconnect and call $this->login again from here and return the result */
         }
     }
     return false;
 }
function sqimap_login($username, $password, $imap_server_address, $imap_port, $hide)
{
    global $color, $squirrelmail_language, $onetimepad, $use_imap_tls, $imap_auth_mech;
    if (!isset($onetimepad) || empty($onetimepad)) {
        sqgetglobalvar('onetimepad', $onetimepad, SQ_SESSION);
    }
    $imap_server_address = sqimap_get_user_server($imap_server_address, $username);
    $host = $imap_server_address;
    if ($use_imap_tls == true and check_php_version(4, 3) and extension_loaded('openssl')) {
        /* Use TLS by prefixing "tls://" to the hostname */
        $imap_server_address = 'tls://' . $imap_server_address;
    }
    $imap_stream = fsockopen($imap_server_address, $imap_port, $error_number, $error_string, 15);
    /* Do some error correction */
    if (!$imap_stream) {
        if (!$hide) {
            set_up_language($squirrelmail_language, true);
            require_once SM_PATH . 'functions/display_messages.php';
            $string = sprintf(_("Error connecting to IMAP server: %s.") . "<br>\r\n", $imap_server_address) . "{$error_number} : {$error_string}<br>\r\n";
            logout_error($string, $color);
        }
        exit;
    }
    $server_info = fgets($imap_stream, 1024);
    /* Decrypt the password */
    $password = OneTimePadDecrypt($password, $onetimepad);
    if ($imap_auth_mech == 'cram-md5' or $imap_auth_mech == 'digest-md5') {
        // We're using some sort of authentication OTHER than plain or login
        $tag = sqimap_session_id(false);
        if ($imap_auth_mech == 'digest-md5') {
            $query = $tag . " AUTHENTICATE DIGEST-MD5\r\n";
        } elseif ($imap_auth_mech == 'cram-md5') {
            $query = $tag . " AUTHENTICATE CRAM-MD5\r\n";
        }
        fputs($imap_stream, $query);
        $answer = sqimap_fgets($imap_stream);
        // Trim the "+ " off the front
        $response = explode(" ", $answer, 3);
        if ($response[0] == '+') {
            // Got a challenge back
            $challenge = $response[1];
            if ($imap_auth_mech == 'digest-md5') {
                $reply = digest_md5_response($username, $password, $challenge, 'imap', $host);
            } elseif ($imap_auth_mech == 'cram-md5') {
                $reply = cram_md5_response($username, $password, $challenge);
            }
            fputs($imap_stream, $reply);
            $read = sqimap_fgets($imap_stream);
            if ($imap_auth_mech == 'digest-md5') {
                // DIGEST-MD5 has an extra step..
                if (substr($read, 0, 1) == '+') {
                    // OK so far..
                    fputs($imap_stream, "\r\n");
                    $read = sqimap_fgets($imap_stream);
                }
            }
            $results = explode(" ", $read, 3);
            $response = $results[1];
            $message = $results[2];
        } else {
            // Fake the response, so the error trap at the bottom will work
            $response = "BAD";
            $message = 'IMAP server does not appear to support the authentication method selected.';
            $message .= '  Please contact your system administrator.';
        }
    } elseif ($imap_auth_mech == 'login') {
        // Original IMAP login code
        $query = 'LOGIN "' . quoteimap($username) . '" "' . quoteimap($password) . '"';
        $read = sqimap_run_command($imap_stream, $query, false, $response, $message);
    } elseif ($imap_auth_mech == 'plain') {
        /* Replace this with SASL PLAIN if it ever gets implemented */
        $response = "BAD";
        $message = 'SquirrelMail does not support SASL PLAIN yet. Rerun conf.pl and use login instead.';
    } else {
        $response = "BAD";
        $message = "Internal SquirrelMail error - unknown IMAP authentication method chosen.  Please contact the developers.";
    }
    /* If the connection was not successful, lets see why */
    if ($response != 'OK') {
        if (!$hide) {
            if ($response != 'NO') {
                /* "BAD" and anything else gets reported here. */
                $message = htmlspecialchars($message);
                set_up_language($squirrelmail_language, true);
                require_once SM_PATH . 'functions/display_messages.php';
                if ($response == 'BAD') {
                    $string = sprintf(_("Bad request: %s") . "<br>\r\n", $message);
                } else {
                    $string = sprintf(_("Unknown error: %s") . "<br>\n", $message);
                }
                if (isset($read) && is_array($read)) {
                    $string .= '<br>' . _("Read data:") . "<br>\n";
                    foreach ($read as $line) {
                        $string .= htmlspecialchars($line) . "<br>\n";
                    }
                }
                error_box($string, $color);
                exit;
            } else {
                /*
                 * If the user does not log in with the correct
                 * username and password it is not possible to get the
                 * correct locale from the user's preferences.
                 * Therefore, apply the same hack as on the login
                 * screen.
                 *
                 * $squirrelmail_language is set by a cookie when
                 * the user selects language and logs out
                 */
                set_up_language($squirrelmail_language, true);
                include_once SM_PATH . 'functions/display_messages.php';
                sqsession_destroy();
                logout_error(_("Unknown user or password incorrect."));
                exit;
            }
        } else {
            exit;
        }
    }
    return $imap_stream;
}
 function initStream($message, $domain, $length = 0, $host = '', $port = '', $user = '', $pass = '', $authpop = false)
 {
     global $use_smtp_tls, $smtp_auth_mech, $username, $key, $onetimepad;
     if ($authpop) {
         $this->authPop($host, '', $username, $pass);
     }
     $rfc822_header = $message->rfc822_header;
     $from = $rfc822_header->from[0];
     $to = $rfc822_header->to;
     $cc = $rfc822_header->cc;
     $bcc = $rfc822_header->bcc;
     if ($use_smtp_tls == true and check_php_version(4, 3) and extension_loaded('openssl')) {
         $stream = fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
     } else {
         $stream = fsockopen($host, $port, $errorNumber, $errorString);
     }
     if (!$stream) {
         $this->dlv_msg = $errorString;
         $this->dlv_ret_nr = $errorNumber;
         return 0;
     }
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     /* If $_SERVER['HTTP_HOST'] is set, use that in our HELO to the SMTP
        server.  This should fix the DNS issues some people have had */
     if (sqgetGlobalVar('HTTP_HOST', $HTTP_HOST, SQ_SERVER)) {
         // HTTP_HOST is set
         $helohost = $HTTP_HOST;
     } else {
         // For some reason, HTTP_HOST is not set - revert to old behavior
         $helohost = $domain;
     }
     /* Lets introduce ourselves */
     if ($smtp_auth_mech == 'cram-md5' or $smtp_auth_mech == 'digest-md5') {
         // Doing some form of non-plain auth
         fputs($stream, "EHLO {$helohost}\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         if ($smtp_auth_mech == 'cram-md5') {
             fputs($stream, "AUTH CRAM-MD5\r\n");
         } elseif ($smtp_auth_mech == 'digest-md5') {
             fputs($stream, "AUTH DIGEST-MD5\r\n");
         }
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         // At this point, $tmp should hold "334 <challenge string>"
         $chall = substr($tmp, 4);
         // Depending on mechanism, generate response string
         if ($smtp_auth_mech == 'cram-md5') {
             $response = cram_md5_response($username, $pass, $chall);
         } elseif ($smtp_auth_mech == 'digest-md5') {
             $response = digest_md5_response($username, $pass, $chall, 'smtp', $host);
         }
         fputs($stream, $response);
         // Let's see what the server had to say about that
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         // CRAM-MD5 is done at this point.  If DIGEST-MD5, there's a bit more to go
         if ($smtp_auth_mech == 'digest-md5') {
             // $tmp contains rspauth, but I don't store that yet. (No need yet)
             fputs($stream, "\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
         // CRAM-MD5 and DIGEST-MD5 code ends here
     } elseif ($smtp_auth_mech == 'none') {
         // No auth at all, just send helo and then send the mail
         fputs($stream, "HELO {$helohost}\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
     } elseif ($smtp_auth_mech == 'login') {
         // The LOGIN method
         fputs($stream, "EHLO {$helohost}\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         fputs($stream, "AUTH LOGIN\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         fputs($stream, base64_encode($username) . "\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         fputs($stream, base64_encode($pass) . "\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
     } else {
         /* Right here, they've reached an unsupported auth mechanism.
            This is the ugliest hack I've ever done, but it'll do till I can fix
            things up better tomorrow.  So tired... */
         if ($this->errorCheck("535 Unable to use this auth type", $stream)) {
             return 0;
         }
     }
     /* Ok, who is sending the message? */
     fputs($stream, 'MAIL FROM: <' . $from->mailbox . '@' . $from->host . ">\r\n");
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     /* send who the recipients are */
     for ($i = 0, $cnt = count($to); $i < $cnt; $i++) {
         if (!$to[$i]->host) {
             $to[$i]->host = $domain;
         }
         if ($to[$i]->mailbox) {
             fputs($stream, 'RCPT TO: <' . $to[$i]->mailbox . '@' . $to[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     for ($i = 0, $cnt = count($cc); $i < $cnt; $i++) {
         if (!$cc[$i]->host) {
             $cc[$i]->host = $domain;
         }
         if ($cc[$i]->mailbox) {
             fputs($stream, 'RCPT TO: <' . $cc[$i]->mailbox . '@' . $cc[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     for ($i = 0, $cnt = count($bcc); $i < $cnt; $i++) {
         if (!$bcc[$i]->host) {
             $bcc[$i]->host = $domain;
         }
         if ($bcc[$i]->mailbox) {
             fputs($stream, 'RCPT TO: <' . $bcc[$i]->mailbox . '@' . $bcc[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     /* Lets start sending the actual message */
     fputs($stream, "DATA\r\n");
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     return $stream;
 }
 function initStream($message, $domain, $length = 0, $host = '', $port = '', $user = '', $pass = '', $authpop = false, $pop_host = '', $stream_options = array())
 {
     global $use_smtp_tls, $smtp_auth_mech;
     if ($authpop) {
         $this->authPop($pop_host, '', $user, $pass);
     }
     $rfc822_header = $message->rfc822_header;
     $from = $rfc822_header->from[0];
     $to = $rfc822_header->to;
     $cc = $rfc822_header->cc;
     $bcc = $rfc822_header->bcc;
     $content_type = $rfc822_header->content_type;
     // MAIL FROM: <from address> MUST be empty in cae of MDN (RFC2298)
     if ($content_type->type0 == 'multipart' && $content_type->type1 == 'report' && isset($content_type->properties['report-type']) && $content_type->properties['report-type'] == 'disposition-notification') {
         // reinitialize the from object because otherwise the from header somehow
         // is affected. This $from var is used for smtp command MAIL FROM which
         // is not the same as what we put in the rfc822 header.
         $from = new AddressStructure();
         $from->host = '';
         $from->mailbox = '';
     }
     // NB: Using "ssl://" ensures the highest possible TLS version
     // will be negotiated with the server (whereas "tls://" only
     // uses TLS version 1.0)
     //
     if ($use_smtp_tls == 1) {
         if (check_php_version(4, 3) && extension_loaded('openssl')) {
             if (function_exists('stream_socket_client')) {
                 $server_address = 'ssl://' . $host . ':' . $port;
                 $ssl_context = @stream_context_create($stream_options);
                 $connect_timeout = ini_get('default_socket_timeout');
                 // null timeout is broken
                 if ($connect_timeout == 0) {
                     $connect_timeout = 30;
                 }
                 $stream = @stream_socket_client($server_address, $errorNumber, $errorString, $connect_timeout, STREAM_CLIENT_CONNECT, $ssl_context);
             } else {
                 $stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);
             }
             $this->tls_enabled = true;
         } else {
             /**
              * don't connect to server when user asks for smtps and 
              * PHP does not support it.
              */
             $errorNumber = '';
             $errorString = _("Secure SMTP (TLS) is enabled in SquirrelMail configuration, but used PHP version does not support it.");
         }
     } else {
         $stream = @fsockopen($host, $port, $errorNumber, $errorString);
     }
     if (!$stream) {
         // reset tls state var to default value, if connection fails
         $this->tls_enabled = false;
         // set error messages
         $this->dlv_msg = $errorString;
         $this->dlv_ret_nr = $errorNumber;
         $this->dlv_server_msg = _("Can't open SMTP stream.");
         return 0;
     }
     // get server greeting
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     /*
      * If $_SERVER['HTTP_HOST'] is set, use that in our HELO to the SMTP
      * server.  This should fix the DNS issues some people have had
      */
     if (sqgetGlobalVar('HTTP_HOST', $HTTP_HOST, SQ_SERVER)) {
         // HTTP_HOST is set
         // optionally trim off port number
         if ($p = strrpos($HTTP_HOST, ':')) {
             $HTTP_HOST = substr($HTTP_HOST, 0, $p);
         }
         $helohost = $HTTP_HOST;
     } else {
         // For some reason, HTTP_HOST is not set - revert to old behavior
         $helohost = $domain;
     }
     // if the host is an IPv4 address, enclose it in brackets
     //
     if (preg_match('/^\\d+\\.\\d+\\.\\d+\\.\\d+$/', $helohost)) {
         $helohost = '[' . $helohost . ']';
     }
     $hook_result = do_hook('smtp_helo_override', $helohost);
     if (!empty($hook_result)) {
         $helohost = $hook_result;
     }
     /* Lets introduce ourselves */
     fputs($stream, "EHLO {$helohost}\r\n");
     // Read ehlo response
     $tmp = $this->parse_ehlo_response($stream);
     if ($this->errorCheck($tmp, $stream)) {
         // fall back to HELO if EHLO is not supported (error 5xx)
         if ($this->dlv_ret_nr[0] == '5') {
             fputs($stream, "HELO {$helohost}\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         } else {
             return 0;
         }
     }
     /**
      * Implementing SMTP STARTTLS (rfc2487) in php 5.1.0+
      * http://www.php.net/stream-socket-enable-crypto
      */
     if ($use_smtp_tls === 2) {
         if (function_exists('stream_socket_enable_crypto')) {
             // don't try starting tls, when client thinks that it is already active
             if ($this->tls_enabled) {
                 $this->dlv_msg = _("TLS session is already activated.");
                 return 0;
             } elseif (!array_key_exists('STARTTLS', $this->ehlo)) {
                 // check for starttls in ehlo response
                 $this->dlv_msg = _("SMTP STARTTLS is enabled in SquirrelMail configuration, but used SMTP server does not support it");
                 return 0;
             }
             // issue starttls command
             fputs($stream, "STARTTLS\r\n");
             // get response
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
             // start crypto on connection. suppress function errors.
             if (@stream_socket_enable_crypto($stream, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
                 // starttls was successful (rfc2487 5.2 Result of the STARTTLS Command)
                 // get new EHLO response
                 fputs($stream, "EHLO {$helohost}\r\n");
                 // Read ehlo response
                 $tmp = $this->parse_ehlo_response($stream);
                 if ($this->errorCheck($tmp, $stream)) {
                     // don't revert to helo here. server must support ESMTP
                     return 0;
                 }
                 // set information about started tls
                 $this->tls_enabled = true;
             } else {
                 /**
                  * stream_socket_enable_crypto() call failed.
                  */
                 $this->dlv_msg = _("Unable to start TLS.");
                 return 0;
                 // Bug: can't get error message. See comments in sqimap_create_stream().
             }
         } else {
             // php install does not support stream_socket_enable_crypto() function
             $this->dlv_msg = _("SMTP STARTTLS is enabled in SquirrelMail configuration, but used PHP version does not support functions that allow to enable encryption on open socket.");
             return 0;
         }
     }
     // FIXME: check ehlo response before using authentication
     // Try authentication by a plugin
     //
     // NOTE: there is another hook in functions/auth.php called "smtp_auth"
     // that allows a plugin to specify a different set of login credentials
     // (so is slightly mis-named, but is too old to change), so be careful
     // that you do not confuse your hook names.
     //
     $smtp_auth_args = array('auth_mech' => $smtp_auth_mech, 'user' => $user, 'pass' => $pass, 'host' => $host, 'port' => $port, 'stream' => $stream);
     if (boolean_hook_function('smtp_authenticate', $smtp_auth_args, 1)) {
         // authentication succeeded
     } else {
         if ($smtp_auth_mech == 'cram-md5' or $smtp_auth_mech == 'digest-md5') {
             // Doing some form of non-plain auth
             if ($smtp_auth_mech == 'cram-md5') {
                 fputs($stream, "AUTH CRAM-MD5\r\n");
             } elseif ($smtp_auth_mech == 'digest-md5') {
                 fputs($stream, "AUTH DIGEST-MD5\r\n");
             }
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
             // At this point, $tmp should hold "334 <challenge string>"
             $chall = substr($tmp, 4);
             // Depending on mechanism, generate response string
             if ($smtp_auth_mech == 'cram-md5') {
                 $response = cram_md5_response($user, $pass, $chall);
             } elseif ($smtp_auth_mech == 'digest-md5') {
                 $response = digest_md5_response($user, $pass, $chall, 'smtp', $host);
             }
             fputs($stream, $response);
             // Let's see what the server had to say about that
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
             // CRAM-MD5 is done at this point.  If DIGEST-MD5, there's a bit more to go
             if ($smtp_auth_mech == 'digest-md5') {
                 // $tmp contains rspauth, but I don't store that yet. (No need yet)
                 fputs($stream, "\r\n");
                 $tmp = fgets($stream, 1024);
                 if ($this->errorCheck($tmp, $stream)) {
                     return 0;
                 }
             }
             // CRAM-MD5 and DIGEST-MD5 code ends here
         } elseif ($smtp_auth_mech == 'none') {
             // No auth at all, just send helo and then send the mail
             // We already said hi earlier, nothing more is needed.
         } elseif ($smtp_auth_mech == 'login') {
             // The LOGIN method
             fputs($stream, "AUTH LOGIN\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
             fputs($stream, base64_encode($user) . "\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
             fputs($stream, base64_encode($pass) . "\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         } elseif ($smtp_auth_mech == "plain") {
             /* SASL Plain */
             $auth = base64_encode("{$user}{$user}{$pass}");
             $query = "AUTH PLAIN\r\n";
             fputs($stream, $query);
             $read = fgets($stream, 1024);
             if (substr($read, 0, 3) == '334') {
                 // OK so far..
                 fputs($stream, "{$auth}\r\n");
                 $read = fgets($stream, 1024);
             }
             $results = explode(" ", $read, 3);
             $response = $results[1];
             $message = $results[2];
         } else {
             /* Right here, they've reached an unsupported auth mechanism.
                This is the ugliest hack I've ever done, but it'll do till I can fix
                things up better tomorrow.  So tired... */
             if ($this->errorCheck("535 Unable to use this auth type", $stream)) {
                 return 0;
             }
         }
     }
     /* Ok, who is sending the message? */
     $fromaddress = strlen($from->mailbox) && $from->host ? $from->mailbox . '@' . $from->host : '';
     fputs($stream, 'MAIL FROM:<' . $fromaddress . ">\r\n");
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     /* send who the recipients are */
     for ($i = 0, $cnt = count($to); $i < $cnt; $i++) {
         if (!$to[$i]->host) {
             $to[$i]->host = $domain;
         }
         if (strlen($to[$i]->mailbox)) {
             fputs($stream, 'RCPT TO:<' . $to[$i]->mailbox . '@' . $to[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     for ($i = 0, $cnt = count($cc); $i < $cnt; $i++) {
         if (!$cc[$i]->host) {
             $cc[$i]->host = $domain;
         }
         if (strlen($cc[$i]->mailbox)) {
             fputs($stream, 'RCPT TO:<' . $cc[$i]->mailbox . '@' . $cc[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     for ($i = 0, $cnt = count($bcc); $i < $cnt; $i++) {
         if (!$bcc[$i]->host) {
             $bcc[$i]->host = $domain;
         }
         if (strlen($bcc[$i]->mailbox)) {
             fputs($stream, 'RCPT TO:<' . $bcc[$i]->mailbox . '@' . $bcc[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     /* Lets start sending the actual message */
     fputs($stream, "DATA\r\n");
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     return $stream;
 }
/**
 * Logs the user into the imap server.  If $hide is set, no error messages
 * will be displayed.  This function returns the imap connection handle.
 */
function sqimap_login($username, $password, $imap_server_address, $imap_port, $hide)
{
    global $color, $squirrelmail_language, $onetimepad, $use_imap_tls, $imap_auth_mech, $sqimap_capabilities;
    if (!isset($onetimepad) || empty($onetimepad)) {
        sqgetglobalvar('onetimepad', $onetimepad, SQ_SESSION);
    }
    if (!isset($sqimap_capabilities)) {
        sqgetglobalvar('sqimap_capabilities', $capability, SQ_SESSION);
    }
    $host = $imap_server_address;
    $imap_server_address = sqimap_get_user_server($imap_server_address, $username);
    $imap_stream = sqimap_create_stream($imap_server_address, $imap_port, $use_imap_tls);
    /* Decrypt the password */
    //$password = OneTimePadDecrypt($password, $onetimepad);
    if ($imap_auth_mech == 'cram-md5' or $imap_auth_mech == 'digest-md5') {
        // We're using some sort of authentication OTHER than plain or login
        $tag = sqimap_session_id(false);
        if ($imap_auth_mech == 'digest-md5') {
            $query = $tag . " AUTHENTICATE DIGEST-MD5\r\n";
        } elseif ($imap_auth_mech == 'cram-md5') {
            $query = $tag . " AUTHENTICATE CRAM-MD5\r\n";
        }
        fputs($imap_stream, $query);
        $answer = sqimap_fgets($imap_stream);
        // Trim the "+ " off the front
        $response = explode(" ", $answer, 3);
        if ($response[0] == '+') {
            // Got a challenge back
            $challenge = $response[1];
            if ($imap_auth_mech == 'digest-md5') {
                $reply = digest_md5_response($username, $password, $challenge, 'imap', $host);
            } elseif ($imap_auth_mech == 'cram-md5') {
                $reply = cram_md5_response($username, $password, $challenge);
            }
            fputs($imap_stream, $reply);
            $read = sqimap_fgets($imap_stream);
            if ($imap_auth_mech == 'digest-md5') {
                // DIGEST-MD5 has an extra step..
                if (substr($read, 0, 1) == '+') {
                    // OK so far..
                    fputs($imap_stream, "\r\n");
                    $read = sqimap_fgets($imap_stream);
                }
            }
            $results = explode(" ", $read, 3);
            $response = $results[1];
            $message = $results[2];
        } else {
            // Fake the response, so the error trap at the bottom will work
            $response = "BAD";
            $message = 'IMAP server does not appear to support the authentication method selected.';
            $message .= '  Please contact your system administrator.';
        }
    } elseif ($imap_auth_mech == 'login') {
        // Original IMAP login code
        $query = 'LOGIN "' . quoteimap($username) . '" "' . quoteimap($password) . '"';
        $read = sqimap_run_command($imap_stream, $query, false, $response, $message);
    } elseif ($imap_auth_mech == 'plain') {
        /***
         * SASL PLAIN
         *
         *  RFC 2595 Chapter 6
         *
         *  The mechanism consists of a single message from the client to the
         *  server.  The client sends the authorization identity (identity to
         *  login as), followed by a US-ASCII NUL character, followed by the
         *  authentication identity (identity whose password will be used),
         *  followed by a US-ASCII NUL character, followed by the clear-text
         *  password.  The client may leave the authorization identity empty to
         *  indicate that it is the same as the authentication identity.
         *
         **/
        $tag = sqimap_session_id(false);
        $sasl = isset($capability['SASL-IR']) && $capability['SASL-IR'] ? true : false;
        $auth = base64_encode("{$username}{$username}{$password}");
        if ($sasl) {
            // IMAP Extension for SASL Initial Client Response
            // <draft-siemborski-imap-sasl-initial-response-01b.txt>
            $query = $tag . " AUTHENTICATE PLAIN {$auth}\r\n";
            fputs($imap_stream, $query);
            $read = sqimap_fgets($imap_stream);
        } else {
            $query = $tag . " AUTHENTICATE PLAIN\r\n";
            fputs($imap_stream, $query);
            $read = sqimap_fgets($imap_stream);
            if (substr($read, 0, 1) == '+') {
                // OK so far..
                fputs($imap_stream, "{$auth}\r\n");
                $read = sqimap_fgets($imap_stream);
            }
        }
        $results = explode(" ", $read, 3);
        $response = $results[1];
        $message = $results[2];
    } else {
        $response = "BAD";
        $message = "Internal SquirrelMail error - unknown IMAP authentication method chosen.  Please contact the developers.";
    }
    /* If the connection was not successful, lets see why */
    if ($response != 'OK') {
        if (!$hide) {
            if ($response != 'NO') {
                /* "BAD" and anything else gets reported here. */
                $message = htmlspecialchars($message);
                set_up_language($squirrelmail_language, true);
                require_once SM_PATH . 'functions/display_messages.php';
                if ($response == 'BAD') {
                    $string = sprintf(_("Bad request: %s") . "<br />\r\n", $message);
                } else {
                    $string = sprintf(_("Unknown error: %s") . "<br />\n", $message);
                }
                if (isset($read) && is_array($read)) {
                    $string .= '<br />' . _("Read data:") . "<br />\n";
                    foreach ($read as $line) {
                        $string .= htmlspecialchars($line) . "<br />\n";
                    }
                }
                error_box($string, $color);
                exit;
            } else {
                /*
                 * If the user does not log in with the correct
                 * username and password it is not possible to get the
                 * correct locale from the user's preferences.
                 * Therefore, apply the same hack as on the login
                 * screen.
                 *
                 * $squirrelmail_language is set by a cookie when
                 * the user selects language and logs out
                 */
                set_up_language($squirrelmail_language, true);
                include_once SM_PATH . 'functions/display_messages.php';
                sqsession_destroy();
                /* terminate the session nicely */
                sqimap_logout($imap_stream);
                logout_error(_("Unknown user or password incorrect."));
                exit;
            }
        } else {
            exit;
        }
    }
    return $imap_stream;
}
 function initStream($message, $domain, $length = 0, $host = '', $port = '', $user = '', $pass = '', $authpop = false)
 {
     global $use_smtp_tls, $smtp_auth_mech;
     if ($authpop) {
         $this->authPop($host, '', $user, $pass);
     }
     $rfc822_header = $message->rfc822_header;
     $from = $rfc822_header->from[0];
     $to = $rfc822_header->to;
     $cc = $rfc822_header->cc;
     $bcc = $rfc822_header->bcc;
     $content_type = $rfc822_header->content_type;
     // MAIL FROM: <from address> MUST be empty in cae of MDN (RFC2298)
     if ($content_type->type0 == 'multipart' && $content_type->type1 == 'report' && isset($content_type->properties['report-type']) && $content_type->properties['report-type'] == 'disposition-notification') {
         $from->host = '';
         $from->mailbox = '';
     }
     if ($use_smtp_tls == true and check_php_version(4, 3) and extension_loaded('openssl')) {
         $stream = fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
     } else {
         $stream = fsockopen($host, $port, $errorNumber, $errorString);
     }
     if (!$stream) {
         $this->dlv_msg = $errorString;
         $this->dlv_ret_nr = $errorNumber;
         return 0;
     }
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     /* 
      * If $_SERVER['HTTP_HOST'] is set, use that in our HELO to the SMTP
      * server.  This should fix the DNS issues some people have had 
      */
     if (sqgetGlobalVar('HTTP_HOST', $HTTP_HOST, SQ_SERVER)) {
         // HTTP_HOST is set
         // optionally trim off port number
         if ($p = strrpos($HTTP_HOST, ':')) {
             $HTTP_HOST = substr($HTTP_HOST, 0, $p);
         }
         $helohost = $HTTP_HOST;
     } else {
         // For some reason, HTTP_HOST is not set - revert to old behavior
         $helohost = $domain;
     }
     /* Lets introduce ourselves */
     fputs($stream, "EHLO {$helohost}\r\n");
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         // fall back to HELO if EHLO is not supported
         if ($this->dlv_ret_nr == '500') {
             fputs($stream, "HELO {$helohost}\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         } else {
             return 0;
         }
     }
     if ($smtp_auth_mech == 'cram-md5' or $smtp_auth_mech == 'digest-md5') {
         // Doing some form of non-plain auth
         if ($smtp_auth_mech == 'cram-md5') {
             fputs($stream, "AUTH CRAM-MD5\r\n");
         } elseif ($smtp_auth_mech == 'digest-md5') {
             fputs($stream, "AUTH DIGEST-MD5\r\n");
         }
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         // At this point, $tmp should hold "334 <challenge string>"
         $chall = substr($tmp, 4);
         // Depending on mechanism, generate response string
         if ($smtp_auth_mech == 'cram-md5') {
             $response = cram_md5_response($user, $pass, $chall);
         } elseif ($smtp_auth_mech == 'digest-md5') {
             $response = digest_md5_response($user, $pass, $chall, 'smtp', $host);
         }
         fputs($stream, $response);
         // Let's see what the server had to say about that
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         // CRAM-MD5 is done at this point.  If DIGEST-MD5, there's a bit more to go
         if ($smtp_auth_mech == 'digest-md5') {
             // $tmp contains rspauth, but I don't store that yet. (No need yet)
             fputs($stream, "\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
         // CRAM-MD5 and DIGEST-MD5 code ends here
     } elseif ($smtp_auth_mech == 'none') {
         // No auth at all, just send helo and then send the mail
         // We already said hi earlier, nothing more is needed.
     } elseif ($smtp_auth_mech == 'login') {
         // The LOGIN method
         fputs($stream, "AUTH LOGIN\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         fputs($stream, base64_encode($user) . "\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
         fputs($stream, base64_encode($pass) . "\r\n");
         $tmp = fgets($stream, 1024);
         if ($this->errorCheck($tmp, $stream)) {
             return 0;
         }
     } elseif ($smtp_auth_mech == "plain") {
         /* SASL Plain */
         $auth = base64_encode("{$user}{$user}{$pass}");
         $query = "AUTH PLAIN\r\n";
         fputs($stream, $query);
         $read = fgets($stream, 1024);
         if (substr($read, 0, 3) == '334') {
             // OK so far..
             fputs($stream, "{$auth}\r\n");
             $read = fgets($stream, 1024);
         }
         $results = explode(" ", $read, 3);
         $response = $results[1];
         $message = $results[2];
     } else {
         /* Right here, they've reached an unsupported auth mechanism.
            This is the ugliest hack I've ever done, but it'll do till I can fix
            things up better tomorrow.  So tired... */
         if ($this->errorCheck("535 Unable to use this auth type", $stream)) {
             return 0;
         }
     }
     /* Ok, who is sending the message? */
     $fromaddress = $from->mailbox && $from->host ? $from->mailbox . '@' . $from->host : '';
     fputs($stream, 'MAIL FROM:<' . $fromaddress . ">\r\n");
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     /* send who the recipients are */
     for ($i = 0, $cnt = count($to); $i < $cnt; $i++) {
         if (!$to[$i]->host) {
             $to[$i]->host = $domain;
         }
         if ($to[$i]->mailbox) {
             fputs($stream, 'RCPT TO:<' . $to[$i]->mailbox . '@' . $to[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     for ($i = 0, $cnt = count($cc); $i < $cnt; $i++) {
         if (!$cc[$i]->host) {
             $cc[$i]->host = $domain;
         }
         if ($cc[$i]->mailbox) {
             fputs($stream, 'RCPT TO:<' . $cc[$i]->mailbox . '@' . $cc[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     for ($i = 0, $cnt = count($bcc); $i < $cnt; $i++) {
         if (!$bcc[$i]->host) {
             $bcc[$i]->host = $domain;
         }
         if ($bcc[$i]->mailbox) {
             fputs($stream, 'RCPT TO:<' . $bcc[$i]->mailbox . '@' . $bcc[$i]->host . ">\r\n");
             $tmp = fgets($stream, 1024);
             if ($this->errorCheck($tmp, $stream)) {
                 return 0;
             }
         }
     }
     /* Lets start sending the actual message */
     fputs($stream, "DATA\r\n");
     $tmp = fgets($stream, 1024);
     if ($this->errorCheck($tmp, $stream)) {
         return 0;
     }
     return $stream;
 }
Esempio n. 7
0
/**
 * Logs the user into the IMAP server.  If $hide is set, no error messages
 * will be displayed (if set to 1, just exits, if set to 2, returns FALSE).
 * This function returns the IMAP connection handle.
 * @param string $username user name
 * @param string $password password encrypted with onetimepad. Since 1.5.2
 *  function can use internal password functions, if parameter is set to
 *  boolean false.
 * @param string $imap_server_address address of imap server
 * @param integer $imap_port port of imap server
 * @param int $hide controls display connection errors:
 *                  0 = do not hide
 *                  1 = show no errors (just exit)
 *                  2 = show no errors (return FALSE)
 *                  3 = show no errors (return error string)
 * @param array $stream_options Stream context options, see config_local.php
 *                           for more details (OPTIONAL)
 * @return mixed The IMAP connection stream, or if the connection fails,
 *               FALSE if $hide is set to 2 or an error string if $hide
 *               is set to 3.
 */
function sqimap_login($username, $password, $imap_server_address, $imap_port, $hide, $stream_options = array())
{
    global $color, $squirrelmail_language, $onetimepad, $use_imap_tls, $imap_auth_mech, $sqimap_capabilities, $display_imap_login_error;
    // Note/TODO: This hack grabs the $authz argument from the session. In the short future,
    // a new argument in function sqimap_login() will be used instead.
    $authz = '';
    global $authz;
    sqgetglobalvar('authz', $authz, SQ_SESSION);
    if (!empty($authz)) {
        /* authz plugin - specific:
         * Get proxy login parameters from authz plugin configuration. If they
         * exist, they will override the current ones.
         * This is useful if we want to use different SASL authentication mechanism
         * and/or different TLS settings for proxy logins. */
        global $authz_imap_auth_mech, $authz_use_imap_tls, $authz_imapPort_tls;
        $imap_auth_mech = !empty($authz_imap_auth_mech) ? strtolower($authz_imap_auth_mech) : $imap_auth_mech;
        $use_imap_tls = !empty($authz_use_imap_tls) ? $authz_use_imap_tls : $use_imap_tls;
        $imap_port = !empty($authz_use_imap_tls) ? $authz_imapPort_tls : $imap_port;
        if ($imap_auth_mech == 'login' || $imap_auth_mech == 'cram-md5') {
            logout_error("Misconfigured Plugin (authz or equivalent):<br/>" . "The LOGIN and CRAM-MD5 authentication mechanisms cannot be used when attempting proxy login.");
            exit;
        }
    }
    /* get imap login password */
    if ($password === false) {
        /* standard functions */
        $password = sqauth_read_password();
    } else {
        /* old way. $key must be extracted from cookie */
        if (!isset($onetimepad) || empty($onetimepad)) {
            sqgetglobalvar('onetimepad', $onetimepad, SQ_SESSION);
        }
        /* Decrypt the password */
        $password = OneTimePadDecrypt($password, $onetimepad);
    }
    if (!isset($sqimap_capabilities)) {
        sqgetglobalvar('sqimap_capabilities', $sqimap_capabilities, SQ_SESSION);
    }
    $host = $imap_server_address;
    $imap_server_address = sqimap_get_user_server($imap_server_address, $username);
    $imap_stream = sqimap_create_stream($imap_server_address, $imap_port, $use_imap_tls, $stream_options);
    if ($imap_auth_mech == 'cram-md5' or $imap_auth_mech == 'digest-md5') {
        // We're using some sort of authentication OTHER than plain or login
        $tag = sqimap_session_id(false);
        if ($imap_auth_mech == 'digest-md5') {
            $query = $tag . " AUTHENTICATE DIGEST-MD5\r\n";
        } elseif ($imap_auth_mech == 'cram-md5') {
            $query = $tag . " AUTHENTICATE CRAM-MD5\r\n";
        }
        fputs($imap_stream, $query);
        $answer = sqimap_fgets($imap_stream);
        // Trim the "+ " off the front
        $response = explode(" ", $answer, 3);
        if ($response[0] == '+') {
            // Got a challenge back
            $challenge = $response[1];
            if ($imap_auth_mech == 'digest-md5') {
                $reply = digest_md5_response($username, $password, $challenge, 'imap', $host, $authz);
            } elseif ($imap_auth_mech == 'cram-md5') {
                $reply = cram_md5_response($username, $password, $challenge);
            }
            fputs($imap_stream, $reply);
            $read = sqimap_fgets($imap_stream);
            if ($imap_auth_mech == 'digest-md5') {
                // DIGEST-MD5 has an extra step..
                if (substr($read, 0, 1) == '+') {
                    // OK so far..
                    fputs($imap_stream, "\r\n");
                    $read = sqimap_fgets($imap_stream);
                }
            }
            $results = explode(" ", $read, 3);
            $response = $results[1];
            $message = $results[2];
        } else {
            // Fake the response, so the error trap at the bottom will work
            $response = "BAD";
            $message = 'IMAP server does not appear to support the authentication method selected.';
            $message .= '  Please contact your system administrator.';
        }
    } elseif ($imap_auth_mech == 'login') {
        // Original IMAP login code
        $query = 'LOGIN "' . quoteimap($username) . '" "' . quoteimap($password) . '"';
        $read = sqimap_run_command($imap_stream, $query, false, $response, $message);
    } elseif ($imap_auth_mech == 'plain') {
        /***
         * SASL PLAIN, RFC 4616 (updates 2595)
         *
         * The mechanism consists of a single message, a string of [UTF-8]
         * encoded [Unicode] characters, from the client to the server.  The
         * client presents the authorization identity (identity to act as),
         * followed by a NUL (U+0000) character, followed by the authentication
         * identity (identity whose password will be used), followed by a NUL
         * (U+0000) character, followed by the clear-text password.  As with
         * other SASL mechanisms, the client does not provide an authorization
         * identity when it wishes the server to derive an identity from the
         * credentials and use that as the authorization identity.
         */
        $tag = sqimap_session_id(false);
        $sasl = isset($sqimap_capabilities['SASL-IR']) && $sqimap_capabilities['SASL-IR'] ? true : false;
        if (!empty($authz)) {
            $auth = base64_encode("{$username}{$authz}{$password}");
        } else {
            $auth = base64_encode("{$username}{$username}{$password}");
        }
        if ($sasl) {
            // IMAP Extension for SASL Initial Client Response
            // <draft-siemborski-imap-sasl-initial-response-01b.txt>
            $query = $tag . " AUTHENTICATE PLAIN {$auth}\r\n";
            fputs($imap_stream, $query);
            $read = sqimap_fgets($imap_stream);
        } else {
            $query = $tag . " AUTHENTICATE PLAIN\r\n";
            fputs($imap_stream, $query);
            $read = sqimap_fgets($imap_stream);
            if (substr($read, 0, 1) == '+') {
                // OK so far..
                fputs($imap_stream, "{$auth}\r\n");
                $read = sqimap_fgets($imap_stream);
            }
        }
        $results = explode(" ", $read, 3);
        $response = $results[1];
        $message = $results[2];
    } else {
        $response = "BAD";
        $message = "Internal SquirrelMail error - unknown IMAP authentication method chosen.  Please contact the developers.";
    }
    /* If the connection was not successful, lets see why */
    if ($response != 'OK') {
        if (!$hide || $hide == 3) {
            //FIXME: UUURG... We don't want HTML in error messages, should also do html sanitizing of error messages elsewhere; should't assume output is destined for an HTML browser here
            if ($response != 'NO') {
                /* "BAD" and anything else gets reported here. */
                $message = sm_encode_html_special_chars($message);
                set_up_language($squirrelmail_language, true);
                if ($response == 'BAD') {
                    if ($hide == 3) {
                        return sprintf(_("Bad request: %s"), $message);
                    }
                    $string = sprintf(_("Bad request: %s") . "<br />\r\n", $message);
                } else {
                    if ($hide == 3) {
                        return sprintf(_("Unknown error: %s"), $message);
                    }
                    $string = sprintf(_("Unknown error: %s") . "<br />\n", $message);
                }
                if (isset($read) && is_array($read)) {
                    $string .= '<br />' . _("Read data:") . "<br />\n";
                    foreach ($read as $line) {
                        $string .= sm_encode_html_special_chars($line) . "<br />\n";
                    }
                }
                error_box($string);
                exit;
            } else {
                /*
                 * If the user does not log in with the correct
                 * username and password it is not possible to get the
                 * correct locale from the user's preferences.
                 * Therefore, apply the same hack as on the login
                 * screen.
                 *
                 * $squirrelmail_language is set by a cookie when
                 * the user selects language and logs out
                 */
                set_up_language($squirrelmail_language, true);
                sqsession_destroy();
                /* terminate the session nicely */
                sqimap_logout($imap_stream);
                // determine what error message to use
                //
                $fail_msg = _("Unknown user or password incorrect.");
                if ($display_imap_login_error) {
                    // See if there is an error message from the server
                    // Skip any rfc5530 response code: '[something]' at the
                    // start of the message
                    if (!empty($message) && $message[0] == '[' && ($end = strstr($message, ']')) && $end != ']') {
                        $message = substr($end, 1);
                    }
                    // Remove surrounding spaces and if there
                    // is anything left, display that as the
                    // error message:
                    $message = trim($message);
                    if (strlen($message)) {
                        $fail_msg = _($message);
                    }
                }
                if ($hide == 3) {
                    return $fail_msg;
                }
                logout_error($fail_msg);
                exit;
            }
        } else {
            if ($hide == 2) {
                return FALSE;
            }
            exit;
        }
    }
    /* Special error case:
     * Login referrals. The server returns:
     * ? OK [REFERRAL <imap url>]
     * Check RFC 2221 for details. Since we do not support login referrals yet
     * we log the user out.
     */
    if (stristr($message, 'REFERRAL imap') === TRUE) {
        sqimap_logout($imap_stream);
        set_up_language($squirrelmail_language, true);
        sqsession_destroy();
        logout_error(_("Your mailbox is not located at this server. Try a different server or consult your system administrator"));
        exit;
    }
    return $imap_stream;
}