PLAIN authentication in Cyrus IMAPd

Torsten Schlabach TSchlabach at gmx.net
Tue Dec 22 05:37:18 EST 2009 

Hi Ken, Hi David!

> I think you have to set "allowplaintext: 1" in your imapd.conf

My apologies; i had that, I just forgot to mention.

Also making some more experiments, I found that my problem is *not* that PLAIN is not enabled. The problem seems to be that it's not accounced in the CAPABILITY. It actually does work, even when it's not announced.

But unfortunately, my client will not even try, but just says: No mechs available!

In detail:

I have in my imapd.conf:

sasl_mech_list: PLAIN
sasl_minimum_layer: 0
allowplaintext: 1

My capabilities string looks like this:

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE MUPDATE=mupdate://192.168.9.10/
S: C01 OK Completed

Now I change one line

sasl_mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5

and my capabilities string looks like this:

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE MUPDATE=mupdate://192.168.9.10/ AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR
S: C01 OK Completed

Is it a rule that AUTH=PLAIN and AUTH=LOGIN are never advertised even if they are enabled?

Regards,
Torsten


-------- Original-Nachricht --------
> Datum: Mon, 21 Dec 2009 12:40:09 -0500
> Von: Ken Murchison <murch at andrew.cmu.edu>
> An: cyrus-devel at lists.andrew.cmu.edu
> Betreff: Re: PLAIN authentication in Cyrus IMAPd

> 
> 
> David G McMurtrie wrote:
> > On Mon, 21 Dec 2009, Torsten Schlabach wrote:
> > 
> >> Dear list!
> >>
> >> I am using Cyrus IMAPd 2.2.13 on Debian Lenny. I tried to configure my
> >> IMAPd to allow PLAIN authentication, even over non-encrypted
> >> connections. (This is a pure Intranet deployment and I understand the 
> >> risk.)
> >>
> >> Despite setting the appropriate options in imapd.conf, i.e.:
> >>
> >> sasl_mech_list: PLAIN
> >> sasl_minimum_layer: 0
> >>
> >> the server just refuses to announce PLAIN as an authentication
> mechanism.
> > 
> > I think you have to set "allowplaintext: 1" in your imapd.conf and also 
> > specify your imap service in cyrus.conf as cmd="imapd -p 2" to tell it 
> > there's an external security layer in place.
> 
> The two methods that Dave mentions are mutually exclusive.  Either one 
> by itself should work.  The 'allowplaintext' option works across all 
> services.  The '-p 2' option can be specified on a per-service basis, 
> perhaps on the imapd listening on a private network, while the public 
> network still requires PLAIN+TLS.
> 
> -- 
> Kenneth Murchison
> Systems Programmer
> Carnegie Mellon University

More information about the Cyrus-devel mailing list