SSL wrapped sieve support (ala "imaps") for timsieved [LONG]

[Rob Siemborski]

On Tue, 17 Jun 2003, Ben Poliakoff wrote:

> When it comes to sieve, I'd really like to be able to do the same sort
> of thing.  Right now to support a cgi/web based sieve client (like
> websieve, easysieve, squirrelmail's sieve plugin, or Horde's Ingo -
> none of which support STARTTLS) I need to set "allowplaintext: yes" in
> imapd.conf.  And then if I want to protect the traffic between my
> cyrus-imap/timsieved server and my webmail server I need to run two
> instances of stunnel:

This seems to me like you're solving the problem in the wrong way.  You
should fix the clients, not force the server to support something that the
IETF clearly thinks is a bad idea.

> It's awful, but it works and I'll do it because I don't want that
> traffic running across our network in cleartext.  But of course now I
> have clients that might start accidentally doing cleartext imap
> connections, since that's now allowed (where it wasn't before).

In 2.2 cyrus you can have per-service configuration options.  In 2.1 I
suppose you can use the -C option to imapd or sieve to cause it to read
different imapd.confs.

If you wanted to play worse games, you could have the sieve clients
connect to a UNIX socket provided by sivtest, but I suspect this is more
complicated than you want, especially when the solution is "make the
clients do STARTTLS".

> Obviously it would be really nice if we had a crop of web based sieve
> clients that supported STARTTLS (and I'm investigating what it might
> take to patch the PHP/Pear Net_Sieve class, used by Horde's Ingo, to
> support STARTTLS).

This is definately what you want to patch, not the server.  The server is
already providing the needed functionality.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper