Please help with Cyrus vs MS Outlook over TSL/SSL

Ken Murchison ken at oceana.com
Wed Nov 19 13:07:51 EST 2003


Ilya Basin wrote:

> On Wednesday 19 November 2003 20:03, Ken Murchison wrote:
> 
> I'd like to disable plaintext auth at all.

Keep in mind that there is a difference between allowing plaintext 
authentication and allowing plaintext authentication mechanisms.  You 
can enable plaintext authentication mechanisms (SASL PLAIN, IMAP LOGIN, 
POP3 USER/PASS) without allowing plaintext authentication by forcing the 
client to use SSL/TLS.

In fact, some older clients use nothing but plaintext authentication 
mechanisms.

> I've changed the conf as you suggested to auxprop and t start to work FINE.
> THANK YOU som much. I shame of myself.....

If you already have an auxprop plugin populated with the user secrets, 
then this is the way to go.


>>Ilya Basin wrote:
>>
>>>Hi,
>>>I've spent a week trying to configure cyrus-imapd-2.1.15
>>>to work with MS Outlook 2000 over TLS/SSL.
>>>I see no way to fix it... maybe I've missed something?
>>>
>>>
>>>System:
>>>
>>>Slackware 9.1
>>>openssl-09.7c
>>>cyrus-imapd-cyrus-sasl-2.1.15
>>>cyrus-imapd-2.1.15
>>>
>>>compiled with no errors.
>>>
>>>Mozilla Messanger, PINE - checked & work fine with it over port 993
>>>MS Oultook -> (with the options [secure auth], work over SSL (port 993))
>>>gives an error "CRAM-MD5 auth failed"
>>>IMAPD.log:
>>>####################################################
>>>imapd[25702]: starttls: TLSv1 with cipher RC4-MD5(128/128 bits new) no
>>>authentication
>>>imapd[25702]: badlogin: [213.152.132.32] NTLM [SASL(-13): user not found:
>>>no secret in database]
>>
>>What kind of authentication do you want to do?  Are you only going to
>>allow plaintext auth mechanisms (via saslauthd), or do you want to allow
>>shared secret mechanisms (via an auxprop plugin like sasldb, LDAP, SQL)?
>>
>>The only way you will be able to use Outlook's SPA (NTLM) is to allow
>>the user secrets to be stored in an auxprop backend, or to proxy the
>>NTLM authentication to an NT/2K server.
>>
>>My suggestion is to simply not use Outlook's SPA, since the
>>authentication is already protected by SSL.  Unchecking the SPA box
>>should solve your problem.
> 
> 
> 


-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp





More information about the Info-cyrus mailing list