imap-daemon ignores saslauthd

Dan White dwhite at olp.net
Wed Mar 31 23:47:22 EDT 2010


On 31/03/10 22:05 -0400, Mikhail T. wrote:
>> The default configuration for the Cyrus IMAP server does not allow clear
>> text mechs (plain/login) to be used without some other form of network
>> protection in place, like TLS.
>This is a bug -- the default configuration leaves cyradm unusable. At
>the very least, running cyradm on localhost should not be a problem,
>because encrypting traffic via lo0 is kinda stupid.

This behavior probably stems from the following requirement in RFC 3501:

		   Note: a server implementation MUST implement a
            configuration in which it does NOT permit any plaintext
            password mechanisms, unless either the STARTTLS command
            has been negotiated or some other mechanism that
            protects the session from password snooping has been
            provided.  Server sites SHOULD NOT use any configuration
            which permits a plaintext password mechanism without
            such a protection mechanism against password snooping.
            Client and server implementations SHOULD implement
            additional [SASL] mechanisms that do not use plaintext
            passwords, such the GSSAPI mechanism described in [SASL]
            and/or the [DIGEST-MD5] mechanism.

In a default configuration, you could authenticate via a mechanism like
DIGEST-MD5 which provides a security layer, and does not require any change
to imapd.conf. However, that is not possible with saslauthd.

In a situation where you have a trusted network connection, such as with
lo0, you can tell imapd to assume that it's trusted. In cyrus.conf, you
can add a '-p' parameter, such as:

imap            cmd="localhost:imapd -U 30 -p 256 -D" listen="imap" prefork=0
maxchild=100

which would allow you to use plaintext mechanisms under cover of a secure
channel.

-- 
Dan White


More information about the Cyrus-sasl mailing list