missing plain authentication explained?
Phil Pennock
info-cyrus-spodhuis at spodhuis.org
Sat Jul 22 15:26:35 EDT 2006
On 2006-07-21 at 19:15 -0700, Ross Boylan wrote:
> I'm not entirely clear about whether PLAIN can be used, even if not
> advertised, if the session is not secure. Since I'm doing everything
> on one box, it's not a big security risk (I think).
How about modifying cyrus.conf so that the listen directives say
listen="127.0.0.1:143" and make the cmd="imapd -p 10" or some other
value?
"1" means integrity protection but no confidentiality. OpenLDAP uses 71
for "unix-domain socket" (and yes, Cyrus IMAPd works with a Unix-domain
socket but most MUAs don't). 10 seems a reasonable middle ground for
"loopback, which is safe enough if I enable antispoof protection"; since
Unix uses a weak end-system model, where one IP address can be reached
from another interface, you'll need to make sure that your host's
packet-filter prevents packets addressed to 127.0.0.1 arriving on the
wire.
--
"Everything has three factors: politics, money, and the right way to do it.
In that order." -- Gary Donahue
More information about the Info-cyrus
mailing list