feature request: support STARTTLS for LMTP preauth'd connection

Marty Lee marty at maui-systems.co.uk
Tue Jun 14 05:26:41 EDT 2016

You could use something like 'stunnel' to protect arbitrary connections between hosts. Lmtp is normally for connections between services on the same host, so I'm not surprised that Cyrus isn't using tls for it.

Marty Lee
Maui Systems Ltd

> On 14 Jun 2016, at 10:16, qyb via Cyrus-devel <cyrus-devel at lists.andrew.cmu.edu> wrote:
> I use "lmtpd -a" listen on a NIC interface and receive lmtp request from a remote postfix instance. Now preauth works, but mail data was transfered without encryption.
> I guess the commit your mentioned disabled startssl because the author think we just need ssl to protect PLAIN Password auth request.. Personally, I think all mail data should be encrypted in internet transfer.
>> On Tue, Jun 14, 2016 at 9:25 AM, ellie timoney via Cyrus-devel <cyrus-devel at lists.andrew.cmu.edu> wrote:
>>> On Wed, Jun 1, 2016, at 03:28 AM, qyb via Cyrus-devel wrote:
>>> I noticed that cyrus disable TLS on preauth'd connection.
>>> Authentication info(plain password...) need TLS protection. And I think that RFC822 text also need TLS.
>> Can you expand on this a bit?
>> As far as I understand, connections are only ever preauth'd when they come in via UNIX-domain sockets, which are inherently local.  What are you trying to protect, and from whom?
>> For what it's worth, it looks like STARTTLS used to work (at least to some degree) for preauth'd LMTP, but was explicitly disabled in 2001 by this commit:
>> https://cgit.cyrus.foundation/cyrus-imapd/commit/?id=b93e6be5b19362f9e295b40ceb81b702d73de6bb
>> So I guess you might be able to re-enable it by doing the inverse of that, though I'm not really seeing the point?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20160614/0230761b/attachment.html>

More information about the Cyrus-devel mailing list