Category: Fedora

Yes, the Fedora 43 upgrade brought an interesting revelation for all Outlook users—one that Microsoft is unlikely to be thrilled about. Outlook was not encrypting email connections, even though SSL/TLS was clearly enabled in the account settings. It looks like, that bug dates back to at least Outlook 2007, which is the oldest Outlook version I was informed about.

Let us start with the beginning

Every six months, Fedora Servers require and upgrade to the next release version, as you all know This May we had to upgrade from 42 to 43 and in this upgrade, Dovecot POP/IMAP server switched to version 2.4.3. Dovecot did us all an unexpected favor, because it required a full rewrite of the used service config, because it’s not backwards compatible. This change introduced a new paradigm: PLAIN TEXT passwords are no longer allowed over unencrypted connections.

This is a major break with the oldest RFCs (i.e. RFC 1081) regarding POP3 behavior, but a good one IMHO. No one should still use unencrypted connections to any form of service on the internet when we have easy to use encryption protocols like STARTTLS (STLS) at hand in any major client.

The Day After

After the upgrade, “we” (admins & customers) did not even know about the now broken auth-mechanism. This came a day later when customers started to call the support line about rquesters popping up for them to enter their passwords again. This is a normal behavior if auth fails… and it failed hard

As all admins know, such upgrades will result in higher amounts of support calls. To my surprise it was all Outlook clients that called. The oldest version so far was Outlook 2007. We even had an old MACOS Outlook :-). They all had in common, that the mailbox prefs had “SSL/TLS” enabled, but used Port 110, which is the old cleartext port for POP3, where port 995 is the correct SSL port. A normal mailclient would change the port number to 995 as soon as you enable SSL/TLS encryption. This is because you can’t “speak” SSL on a non-ssl port, except if you choose STARTTLS. This starts as a cleartext connection, but upgrades itself to ssl-encrypted later.

“Look, there is something out there!”

Outlook did the worst move you can take as a security enhanced app. It silently ignored the choosen SSL option and used the unencrypted port 110 without any notice to the user. After our server upgrade, the following message popped up:

“-ERR [AUTH] Cleartext authentication disallowed on non -secure ( SSL/TLS ) connections.“ popped up if you tried to open your inbox. The server logs revealed it clearly: the user used a non-secure connection and got this message correctly. This never got noticed since the EU GDRP only states, that corporations and organisations need to protect their data via a transport encryption like TLS. Normal persons don’t need to do so.

Even some of the notable folks of Fedora did not use encryption, which I personally advise to change immediately. Having this in mind, who are we to judge if you encrypt your connection or not?

Really folks: use TLS encryption for your mailboxes!

You can easily check if TLS encryption is working. Send yourself an mail and open the mail headers, you will find lines like this:

Received: from bastion01.fedoraproject.org ([38.145.32.11] helo=bastion.fedoraproject.org)
by s113.resellerdesktop.de with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.99.2)
(envelope-from <updates@fedoraproject.org>)
…
Any good MTA ( Exim, Postfix, etc. ) will note if the connection was encrypted or not.

If you don’t see an encryption notice, you can use this command:

tcpdump -A -n -n port 110 or port 143 

in a root terminal and see if the unencrypted port is used for transport. If so, if it’s cleartext or if it’s using STLS.

So… THANKS Fedora 43 and Dovecot 2.4 … you revealed a 20 year old security bug in Outlook \o/

Disclaimer: It is possible that MS patched the Outlook UI in the past in a way that only old accounts are affected by this major fail. As Fedora users we had no Outlook available to test this

Source: https://marius.bloggt-in-braunschweig.de/2026/06/03/outlook-hat-emailverbindung-nicht-verschluesselt/

A year ago, a family member gave me a 2019 laptop that wouldn’t run Windows anymore. And of course, I immediately installed Fedora Linux on it. While my day-to-day Fedora Linux system is a desktop PC, it’s nice to have a laptop to take with me when I do workshops or conference demos.

However, the laptop has a physical “spinning heads” hard disk, so it is really slow to boot. I timed it; the laptop takes almost two minutes to go from “power on” to “login prompt.” And that’s a very long time when you’re at the front of the room, waiting to start a demo.

I thought about replacing the hard disk with a solid state drive, but when I opened the laptop to make sure the drive was replaceable, I saw that the laptop also supports an NVMe solid state drive in addition to the hard disk.

This presented an interesting opportunity: I could put in an NVMe drive and install Fedora Linux across two disks. Specifically, I wanted to boot Fedora Linux from the NVME drive, and keep extra apps and other data on the hard disk. I use several big third-party apps for my demos, which I install in both /opt and /usr/local, and it’s a huge pain to download and install those extra applications whenever I upgrade Fedora Linux. (I prefer to wipe and reinstall when I upgrade Fedora Linux, so I always have a clean starting point.) If I could keep /opt and /usr/local on the hard disk, I could preserve those when I install the next version of Fedora Linux.

Installing Fedora Linux to the NVMe

After installing a new NVMe drive in the laptop, I needed to reinstall Fedora Linux. I prefer the Xfce desktop, so I downloaded the Fedora Xfce spin and booted the installer. When the installer reached the “Destination” step, it prompted me for the target disk. I clicked “Choose destination” and selected the NVMe disk:

The rest of the installation ran normally. The Fedora Linux installer set up the partitions automatically on the new NVMe drive, encrypted my data, and installed the operating system.

With Fedora Linux on the NVMe drive, booting took seconds instead of minutes. Again, I timed it: about 20 seconds to go from “power on” to “login prompt.” That’s a huge improvement!

Setting up partitions on the hard disk

The disk partition app in the Fedora Xfce is GParted, which makes it easy to set up the hard disk with new partitions. However, GParted’s main limitation is that it can’t set up encrypted volumes for you. If you want to use encryption, you’ll need to use the command line and run cryptsetup on your own.

However, I’m not very concerned about encrypting my /opt and /usr/local partitions. These are just third-party apps, not private data. My personal data will be saved to my home directory, which is safely encrypted on the NVMe drive. So I decided to set up regular partitions, formatted as ext4 filesystems.

I used GParted to delete the old partitions on the hard disk, and define three partitions that were each about 300 GB: /opt (which I labeled as opt), /usr/local (labeled usrlocal) and /backup (labeled backup). GParted created the partitions and wrote an ext4 filesystem on each.

However, the /usr/local filesystem has a directory tree in it already, such as /usr/local/bin and /usr/local/lib, although these directories will be empty after installing Fedora Linux. I wanted to copy the original directories to the new filesystem. The easiest way to do that is to add the new usrlocal partition somewhere else and then copy the old /usr/local to the new partition. Adding a partition to a directory is called mounting, and the directory itself is called a mount point.

First, I needed to create a new mount point for the usrlocal partition, which can be located anywhere on the filesystem. Since this was temporary, I created it under /tmp then mounted the new partition using the mount command:

$ sudo mkdir /tmp/usrlocal
$ sudo mount LABEL=usrlocal /tmp/usrlocal

Then I copied the contents of the old /usr/local to the new /tmp/usrlocal mount point. The -a or –archive option copies everything:

$ cd /usr/local
$ sudo cp --archive * /tmp/usrlocal

After the process is complete, I unmounted the new partition:

$ sudo umount /tmp/usrlocal

Adding the partitions to the system

To make sure the new partitions are automatically mounted every time my laptop reboots, I needed to add them to my /etc/fstab file. This is a special file that contains the filesystem table, which is a list of partitions that the system can find on the disk and where to mount them. For example, my default /etc/fstab file looks like this:

#
# /etc/fstab
# Created by anaconda on Sat May 23 20:15:13 2026
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=c10ec138-be4b-4513-89b7-749ef4a0605e / btrfs subvol=root,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=a87b1ed4-4951-4da1-a4a4-a5c48f1f3b28 /boot ext4 defaults 1 2
UUID=9AD9-2C52 /boot/efi vfat umask=0077,shortname=winnt 0 2
UUID=c10ec138-be4b-4513-89b7-749ef4a0605e /home btrfs subvol=home,compress=zstd:1,x-systemd.device-timeout=0 0 0

Each line in the /etc/fstab file is divided into several fields: the identifier for the filesystem (to learn more about these, see Persistent Identifiers for Storage Devices in the Fedora online documentation), the mount point, the filesystem type, a list of mount options, and two optional fields that control if backup software should “dump” the filesystem to backup media (use 0 for never) and what order the fsck command should check filesystems when needed (usually 1 for the root filesystem, or 2 for other filesystems). I added these lines to my /etc/fstab file, which defined the mount points for each of my new filesystems:

LABEL=backup /backup ext4 defaults,noatime 0 2
LABEL=opt /opt ext4 defaults,noatime 0 2
LABEL=usrlocal /usr/local ext4 defaults,noatime 0 2

This is an internal drive, so it should be there every time the laptop boots up. If you add removable storage to the /etc/fstab file, such as a USB drive, you should add the nofail option to this list of mount options. Otherwise, if the partition is not available when Linux starts up, the system will hang.

With these lines in the /etc/fstab file, I ran these commands to reload the /etc/fstab file, create the /backup mount point, and mount each of the filesystems:

$ sudo systemctl daemon-reload
$ sudo mkdir /backup $ sudo mount /backup
$ sudo mount /opt
$ sudo mount /usr/local

This generated an SELinux alert right away, complaining that the new /usr/local filesystem lacked the correct security context. The security information wasn’t “carried over” when copying the old /usr/local directory tree. Fortunately, the SELinux error provides the solution:

To restore the default SELinux security contexts to the new /usr/local directory tree, I ran the restorecon command. The -v option will print what it does to fix the system:

$ sudo restorecon -v /usr/local
Relabeled /usr/local from system_u:object_r:unlabeled_t:s0 to system_u:object_r:usr_t:s0
Relabeled /usr/local/lost+found from system_u:object_r:unlabeled_t:s0 to system_u:object_r:usr_t:s0

Filesystem flexibility

With just a few extra steps, I was able to use two disks with Fedora Linux, which lets me take full advantage of the storage on my laptop. The operating system now runs from the very fast NVMe drive, while my big third-party applications in /usr/local and /opt run from the hard disk.

Introduction Earlier this year, the community was invited to share their thoughts on a potential new initiative called “Fedora Verified“. The goal of this survey was not to make final decisions, but to listen – to understand what contributors value, where opinions differ, and what questions still need answering.

This is a summary of what we found.

Note: Fedora Verified is still a conceptual idea under discussion by the Fedora Council. Nothing has been finalized. The Council plans to continue these conversations with the community in the coming months, including at Flock.

Who responded?

The survey received 90 fully completed responses from contributors across the Fedora community. We focused our analysis exclusively on these full responses to ensure we are looking at complete, thoughtful feedback.

What the community said

Key Takeaways – When we looked at the data, a few incredibly clear themes emerged regarding what contributors want this program to look like if it moves forward:

• Code isn’t everything: This was the loudest piece of feedback. A massive 66% of respondents explicitly stated that all types of contributions – including documentation, design, event organization, and community support – must carry the exact same weight as code contributions.
• Keep the door open for newcomers: Nearly 40% of respondents expressed concern that adding a “Verified” status might intimidate new contributors and make it harder for them to get started. Any future model needs a welcoming, clear on-ramp.
• 12 months is too short: We proposed that the Verified status would expire after 12 months of inactivity. A majority (52%) rejected this, feeling that life gets in the way and a 12-month expiry is too strict.
• Show us our progress: To help navigate the path to becoming Verified, 53% of respondents asked for a visual contribution tracking dashboard (similar to an enhanced Fedora Badges experience).

The Tension: Structure vs. Flexibility

The results also reveal two interesting and contrasting groups within the community regarding governance of the program.

A notable portion of contributors expressed a desire for more rigidity, wanting clearly defined milestones (43%) and formal committee reviews. At the same time, a similarly sizable group preferred less structure, with 62% asking for a moderately or lightly structured path, feeling that too much formality could discourage participation.

This tension was one of the most valuable findings of the survey. It shows that the Fedora Verified concept touches on something the community feels strongly about in different directions. Both perspectives are valid – setting clear expectations while leaving room for diverse contribution styles. The Council must achieve a careful balance as it moves forward.

What comes next?

These findings are being shared with the Fedora Council and relevant SIGs to inform future community conversations. The full analysis report, including a detailed breakdown of all survey responses, is available here: “Analysis Report.”

If you have thoughts or feedback on these findings, we’d love to hear from you on “Fedora Discussion.”