Please help with Cyrus vs MS Outlook over TSL/SSL
Ken Murchison
ken at oceana.com
Wed Nov 19 13:07:51 EST 2003
Ilya Basin wrote:
> On Wednesday 19 November 2003 20:03, Ken Murchison wrote:
>
> I'd like to disable plaintext auth at all.
Keep in mind that there is a difference between allowing plaintext
authentication and allowing plaintext authentication mechanisms. You
can enable plaintext authentication mechanisms (SASL PLAIN, IMAP LOGIN,
POP3 USER/PASS) without allowing plaintext authentication by forcing the
client to use SSL/TLS.
In fact, some older clients use nothing but plaintext authentication
mechanisms.
> I've changed the conf as you suggested to auxprop and t start to work FINE.
> THANK YOU som much. I shame of myself.....
If you already have an auxprop plugin populated with the user secrets,
then this is the way to go.
>>Ilya Basin wrote:
>>
>>>Hi,
>>>I've spent a week trying to configure cyrus-imapd-2.1.15
>>>to work with MS Outlook 2000 over TLS/SSL.
>>>I see no way to fix it... maybe I've missed something?
>>>
>>>
>>>System:
>>>
>>>Slackware 9.1
>>>openssl-09.7c
>>>cyrus-imapd-cyrus-sasl-2.1.15
>>>cyrus-imapd-2.1.15
>>>
>>>compiled with no errors.
>>>
>>>Mozilla Messanger, PINE - checked & work fine with it over port 993
>>>MS Oultook -> (with the options [secure auth], work over SSL (port 993))
>>>gives an error "CRAM-MD5 auth failed"
>>>IMAPD.log:
>>>####################################################
>>>imapd[25702]: starttls: TLSv1 with cipher RC4-MD5(128/128 bits new) no
>>>authentication
>>>imapd[25702]: badlogin: [213.152.132.32] NTLM [SASL(-13): user not found:
>>>no secret in database]
>>
>>What kind of authentication do you want to do? Are you only going to
>>allow plaintext auth mechanisms (via saslauthd), or do you want to allow
>>shared secret mechanisms (via an auxprop plugin like sasldb, LDAP, SQL)?
>>
>>The only way you will be able to use Outlook's SPA (NTLM) is to allow
>>the user secrets to be stored in an auxprop backend, or to proxy the
>>NTLM authentication to an NT/2K server.
>>
>>My suggestion is to simply not use Outlook's SPA, since the
>>authentication is already protected by SSL. Unchecking the SPA box
>>should solve your problem.
>
>
>
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the Info-cyrus
mailing list