SSL wrapped sieve support (ala "imaps") for timsieved [LONG]

Ben Poliakoff benp at reed.edu
Tue Jun 17 15:24:49 EDT 2003 

Looks like I forgot to reply to the list on that last message....

Thanks for the reminder about the -C flag for timsieved.  Using that I
can at least limit the "allowplaintext: yes" to timsieved.

So we can stumble along with this solution (and the stunnels) until we
are able to come up with a STARTTLS patch for the PHP/Pear Net_Sieve
class.

Thanks for the feedback!  Much obliged.

Ben

* Rob Siemborski <rjs3 at andrew.cmu.edu> [030617 12:01]:
> On Tue, 17 Jun 2003, Ben Poliakoff wrote:
> 
> > When it comes to sieve, I'd really like to be able to do the same sort
> > of thing.  Right now to support a cgi/web based sieve client (like
> > websieve, easysieve, squirrelmail's sieve plugin, or Horde's Ingo -
> > none of which support STARTTLS) I need to set "allowplaintext: yes" in
> > imapd.conf.  And then if I want to protect the traffic between my
> > cyrus-imap/timsieved server and my webmail server I need to run two
> > instances of stunnel:
> 
> This seems to me like you're solving the problem in the wrong way.  You
> should fix the clients, not force the server to support something that the
> IETF clearly thinks is a bad idea.
> 
> > It's awful, but it works and I'll do it because I don't want that
> > traffic running across our network in cleartext.  But of course now I
> > have clients that might start accidentally doing cleartext imap
> > connections, since that's now allowed (where it wasn't before).
> 
> In 2.2 cyrus you can have per-service configuration options.  In 2.1 I
> suppose you can use the -C option to imapd or sieve to cause it to read
> different imapd.confs.
> 
> If you wanted to play worse games, you could have the sieve clients
> connect to a UNIX socket provided by sivtest, but I suspect this is more
> complicated than you want, especially when the solution is "make the
> clients do STARTTLS".
> 
> > Obviously it would be really nice if we had a crop of web based sieve
> > clients that supported STARTTLS (and I'm investigating what it might
> > take to patch the PHP/Pear Net_Sieve class, used by Horde's Ingo, to
> > support STARTTLS).
> 
> This is definately what you want to patch, not the server.  The server is
> already providing the needed functionality.
> 
> -Rob
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> Research Systems Programmer * /usr/contributed Gatekeeper

-- 
---------------------------------------------------------------------------
Ben Poliakoff                                       email: <benp at reed.edu>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019

More information about the Info-cyrus mailing list