Patch: forcing SSL before auth

Nic Bernstein nic at onlight.com
Sun Aug 9 13:40:26 EDT 2015


Carlos,
Could you add a stanza to /lib/imapoptions describing any configuration 
options you've added?  Don't worry if it's perfect, just get something 
in there so we documentation folk can make sure they get into the man pages.

Thanks!
     -nic

On 08/09/2015 09:17 AM, Carlos Velasco wrote:
> Version 2 patch. Including timsieved.
> Also in the patch is some code for Serverinfo switch in timsieved to not disclose name and/or version info in "IMPLEMENTATION" if Serverinfo is Off or Min.
>
> Regards,
> Carlos Velasco
>
> -------- Original Message --------
> Subject: Patch: forcing SSL before auth
> From: Carlos Velasco <carlos.velasco at nimastelecom.com>
> To: cyrus-devel at lists.andrew.cmu.edu
> Date: 9/8/2015 12:18:36
>> Hi,
>>
>> Right now, "allowplaintext" option disallow using a plain authentication if session is not protected by TLS.
>> However, this setting still allows a client to make MD5 or SHA1 auth without session being protected by TLS. This can lead to not data confidentiality when using not plain auth.
>> There are several admins now requesting to force TLS for all sessions, and although this can be done using "allowplaintext" and removing all mechs but Plain, it would be right to be able to provide another layer of security and use TLS+SHA1 or so...
>>
>> Attached is a patch with a new imapd.conf option:
>> forcetlsauth: 0 | 1. Default 0
>> If enabled all authentications require a TLS session negotiated before.
>>
>> Patch also "hides" AUTH and other authentication commands that are not allowed before TLS, in Capabilites commands.
>> Patched in imapd, pop3d, nntpd, httpd.
>>
>> This patch does not break cyradm functionality at all, however I attach another patch for the cyradm perl part to allow "--cafile" option (got tired of certificate validation warnings) and also fixed a minor bug when requesting capabilities to server without the callback.
>>
>> Please, consider committing this to mainstream.
>>
>> Regards,
>> Carlos Velasco
>>

-- 
Nic Bernstein                             nic at onlight.com
Onlight llc.                              www.onlight.com
219 N. Milwaukee St., Ste. 2A	          v. 414.272.4477
Milwaukee, Wisconsin  53202		  f. 414.290.0335



More information about the Cyrus-devel mailing list