timsieved not offering any auth mechanisms
Matt Bernstein
mb/cyrus at dcs.qmul.ac.uk
Sat Oct 5 19:21:56 EDT 2002
On Oct 5 Scott Russell wrote:
>Previously it was said that only PLAIN and LOGIN mechs are allowed
>based on the imapd.conf line: sasl_mech_list: plain login. But if you
>look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown
>until _after_ the TLS negotiation takes place. To me this indicates
>that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL
>layer.
>
>I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I
>don't recall but doesn't that exclude PLAIN and LOGIN unless they are
>under SSL/TLS?
>
>It might be interesting to see if timesieved shows a SASL line after
>TLS/SSL negotiation is done. Or try setting sasl_minimum_layer: 0 and
>see if the SASL line shows up in timesieved prior to TLS/SSL
>negotiation.
Bingo! Many thanks.
>Just some wild thoughts.
I didn't try that earlier because of the following comment:
# The minimum SSF that the server will allow a client
# to negotiate. A value of 1 requires integrity pro-
# tection; any higher value requires some amount of
# encryption.
I was misled!
I think I'd like sasl_minimum_layer to be 0 for localhost and 1 (or maybe
higher) for other hosts.
Cheers again though,
Matt
More information about the Info-cyrus
mailing list