Patch: forcing SSL before auth

Bron Gondwana brong at fastmail.fm
Sun Aug 9 07:24:05 EDT 2015


On Sun, Aug 9, 2015, at 20:18, Carlos Velasco wrote:
> Hi,
> 
> Right now, "allowplaintext" option disallow using a plain authentication if session is not protected by TLS.
> However, this setting still allows a client to make MD5 or SHA1 auth without session being protected by TLS. This can lead to not data confidentiality when using not plain auth.
> There are several admins now requesting to force TLS for all sessions, and although this can be done using "allowplaintext" and removing all mechs but Plain, it would be right to be able to provide another layer of security and use TLS+SHA1 or so...
> 
> Attached is a patch with a new imapd.conf option:
> forcetlsauth: 0 | 1. Default 0
> If enabled all authentications require a TLS session negotiated before.

I'm happy with that.  We go a step further at FastMail and require SSL always (port 993).  See arguments here:

(sorry about the previous post - my laptop's horrible mouse/touchpad thing is finicky, and clicked the button for me as I switched windows to grab the link)

https://www.fastmail.com/help/technical/ssltlsstarttls.html

> Patch also "hides" AUTH and other authentication commands that are not allowed before TLS, in Capabilites commands.
> Patched in imapd, pop3d, nntpd, httpd.

Good plan.

> This patch does not break cyradm functionality at all, however I attach another patch for the cyradm perl part to allow "--cafile" option (got tired of certificate validation warnings) and also fixed a minor bug when requesting capabilities to server without the callback.

Sounds good to me.  Leena - any comments as the expert on cyradm these days? :)

> Please, consider committing this to mainstream.

I'll have a read through - but I have no objection in principle to these patches.

Thanks for submitting them!

Cheers,

Bron.

-- 
  Bron Gondwana
  brong at fastmail.fm


More information about the Cyrus-devel mailing list