how are 'sasl_minimum_layer' & TLS related/dependent?

OpenMacNews openmacnews at speakeasy.net
Sun Oct 9 16:57:20 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

hi mitu,

1st, THANKS very much for your time ... your comments have been a great guide!  =)


>>>>which, i think, is what i SHOULD be seeing
>
>>  yes, this is correct.


gr8!



>>>>strangely, i still do NOT see STARTTLS advertised in TBird's imap session protocol log:

[..]

>> That's because the connection is already under the SSL layer, logging
>> was done by cyrus/imaps. Cyrus logs this connection as starttls and adds
>> 'no authentication'

[..]

>> It's perfectly normal.


aha.  THAT'S why 'no authentication' is there :-}



>>>>why do i have this sneaking suspicion that TBird's STARTTLS implementation is not 100% ... ?


...

>>  I forgot about TB's inability to support the 'STARTTLS' command and a
>> quick test at my server showed that.


ok, so i'm NOT losing my mind. (at least not on THIS issue ...)


>> TB (1.5beta2) and voila !



>>  This is TLS over the 143 port, which I cannot convince TB 1.0.7 to do.
>>  In the new TB build you have as security options
>>    [ ] TLS, if available
>>    [ ] TLS
>>    [ ] SSL.
>> there are the same settings TB has currently (1.0.7) for the SMTP server (which
>> has it's own STMP 'STARTTLS' command and smtps mode just as IMAP has).


excellent.


>>  I cannot tell right now if the older Mozilla suite builds have the same
>> options as the recent Seamonkey build has, but since you use TB then it
>> means that for now you'll just use imaps and wait for a new release.


can't move to it yet, as most of the extensions i want aren't yet compatible :-/

but, that's good news on the horizon!

now,

                              TO SUMMARIZE

... for those likewise interested, here's what i've "landed on", given mitu's help/clarification
 ...

my goal state:

	server == CyrusIMAP 2.2.12 cvs
	TBird v107
		TLS connection + encrypted login

	cyradm connection to server
		ONLY via: SSH TO server
		logging in to server's LOCALHOST intfc
		under encryption layer
		using:
				cyradm \
				--user my.admin \
				--auth DIGEST-MD5 \
				--port 143 \
				--server localhost


to make this all work (from now, until TBird 1.5b2 is an option for me ...),

since cyradm does NOT apparently have capability to login w/ TLS encryption, i've split my imap
config in two,



             {
                #### QUESTION ####
		NOTE:  it is NOT clear to me, yet, whether sasl_minimum_layer > 129
                       has any further effect, as all allowed MECHS (plain, cram, digest)
                       are already forced to use TLS ...

                 i.e., is there ANY further difference between, e.g.,
                       "sasl_minimum_layer: 129" and "sasl_minimum_layer: 256"?
             }



====================================================
imapd.conf:

	# this is for all IMAP logins to mail server's EXTERNAL intfc
	# cyradm to EXTERNAL intfc will NOT work, reporting:
	#   badlogin: ... DIGEST-MD5 [SASL(-15): mechanism too weak for this user: mech DIGEST-MD5 is
too weak]

	sasl_mech_list:         PLAIN CRAM-MD5 DIGEST-MD5
	allowplaintext:         no
	sasl_minimum_layer:     129

	# if  'sasl_minimum_layer'  then CAPABILITY advertises
	#     -------------------        ------------------------------------------------------
	#             0                   STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5
	#             1-128               STARTTLS LOGINDISABLED AUTH=DIGEST-MD5
	#             >=129               STARTTLS LOGINDISABLED

	@include: imapd-common.conf
====================================================

====================================================
imapd-local.conf

	# this defines/enables cyradm login for LOCALHOST, requiring
        # DIGEST-MD5's encryption 'strength'

	sasl_minimum_layer:     128
	sasl_mech_list:         DIGEST-MD5
	allowplaintext:         no

	@include: imapd-common.conf
====================================================



with cyrus.conf config'd as:

	...
	SERVICES {
	    imap         cmd="imapd    -C imapd.conf"       listen="10.0.0.5:imap"   prefork=1
	    imaps        cmd="imapd -s -C imapd.conf"       listen="10.0.0.5:imaps"  prefork=1
	    imaplocal    cmd="imapd    -C imapd-local.conf" listen="127.0.0.1:imap"  prefork=1
	...


finally, i've configured TBird v107 as:

	================================
	Account Settings>(this account)>Server Settings

		Server Type: IMAP Mail Server
		Server Name: {mail.testdomain.com}
		Port: {993} Default: 993

		[x] Use secure connection (SSL)
		[x] Use secure authentication

	>Advanced ...

		IMAP server directory: (blank)
		[ ] Show only subscribed folders
		[X] Server support folders that contain sub-folders and messages
		[X] User IDLE command if the server supports it
		--------------------------------------
		Maximum number of server connections to cache {5}
		--------------------------------------
		Personal namespace: ""
		Public (shared): "Shared/"
		Other Users: "Users/"
		[X] Allow server to override these namespaces
	================================


for now, this gets me up/running & secure. =:-)

thx! again, mitu!

cheers,

richard

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iEYEAREDAAYFAkNJhDAACgkQGnqMy4gvZ6FH5QCeM4Wh4sLYgrbKpgHD3F76QjQz
/eUAn2em+f1cbRQfWCL9X37t/3w397Pv
=P8Bi
-----END PGP SIGNATURE-----

More information about the Info-cyrus mailing list