requiring encryption but not from localhost?

Scott Adkins adkinss at ohio.edu
Wed Jul 30 08:59:11 EDT 2003 

--On Wednesday, July 30, 2003 1:13 PM +0100 Matt Bernstein 
<mb/cyrus at dcs.qmul.ac.uk> wrote:

> At 13:47 +0200 Sebastian Hagedorn wrote:
>
>> --On Mittwoch, 30. Juli 2003 12:21 Uhr +0100 Matt Bernstein
>> <mb/cyrus at dcs.qmul.ac.uk> wrote:
>>
>>> I forgot to say that at present we still need the use of the PLAIN
>>> mechanism. Is it possible to only accept PLAIN (and LOGIN, for that
>>> matter) after TLS or on the imaps port?
>>
>> Sure:
>>
>> allowplaintext: no
>
> Wrong.
>
>       allowplaintext: yes
>             Allow the use of the SASL PLAIN mechanism.
>
> Sorry.
> Matt

Actually, I believe you were right the first time around, with "no" being
the correct answer.  I believe setting it to "no" means that you can't
connect to the standard IMAP port and issue a plain text login without
first issuing a STARTTLS command.  Going to the IMAPS port is no issue.
This is how we have it configured on our sysetems and it works as desired.

Part of the questions I have seen related to the topic (I haven't followed
all that close to the discussion) is two-fold:

  1) Only allow plain text logins from localhost (meaning, you can login
        on the IMAP port without using STARTTLS):

     SOLUTION:

     In /etc/imapd.conf (the default file), have allowplaintext:no in it.
     In another config file, maybe /etc/imapd-local.conf, have yes as the
     value of that paramter.  Then in your cyrus.conf file, you can call
     the services like the following:

     imap       cmd="imapd" listen="hostname:imap"
     imapp      cmd="imapd -C /etc/imapd-local.conf" listen="localhost:imap"
     imaps      cmd="imapd -s" listen="imaps"

     This is off the top of my head, so you might want to check to the man
     pages to make sure I have it right.  You have to specify your machine's
     hostname in the listen parameter of "imap", since the default is to
     listen on all interfaces (including localhost), thus causing the next
     line to likely fail with a bind error.

  2) How to accept plain text logins only after SSL/TLS has been initiated.
     SOLUTION is described above with allowplaintext:no in the config file.

Scott
-- 
 +-----------------------------------------------------------------------+
      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
 +-----------------------------------------------------------------------+
     PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20030730/07bf95d6/attachment.bin

More information about the Info-cyrus mailing list