Patch: forcing SSL before auth

Carlos Velasco carlos.velasco at
Fri Aug 14 05:57:49 EDT 2015

From: Ken Murchison <murch at>
Date: 13/8/2015 19:13:49

> I know this patch has already been applied to Git, but it shouldn't be 
> necessary, and can probably be backed out.  If you want to force 
> confidentiality, all you need to do is to set sasl_minimum_layer to 2 or 
> higher.  With a value of 2, DIGEST-MD5, GSSAPI, and KERBEROS_V4 will 
> still be advertised because they all have their own confidentiality 
> layers (up to 128 bits).  If you want to force TLS to be used before any 
> SASL mechs are advertised, set sasl_minimum_layer to 129 or higher.

>> Attached is a patch with a new imapd.conf option:
>> forcetlsauth: 0 | 1. Default 0
>> If enabled all authentications require a TLS session negotiated before.
>> Patch also "hides" AUTH and other authentication commands that are not allowed before TLS, in Capabilites commands.
>> Patched in imapd, pop3d, nntpd, httpd.

Ken, I have not tested setting sasl_minimum_layer 129 yet, but I don't think that to be the right way to go with this.
First of all, SSF is an "obscure" setting that is not really well documented (if documented at all...), also googling there are plenty of complaints around all Internet about confusing SSF configurations, specially for OpenLDAP... why setting SASL SSF minimum 129 is forcing TLS? What about if any mech in the future or external mech makes a SSF value above this?
But the most important thing here IMHO is... why a SASL (handled by Cyrus SASL) setting should be related to TLS/SSL (handled by Openssl/GnuTLS...). SASL should deal with authentication and SSL with encryption, mixing both (different) things in just one of them (SASL setting) instead of the upper app layer (Cyrus IMAP setting) is not a good idea at all.

More information about the Cyrus-devel mailing list