STARTTLS Question

Daniel Whelan merlin at ophelan.com
Tue Oct 7 18:25:08 EDT 2003


I'll go ahead and answer my own question, as I evidently haven't been 
paying as much attention to the mailing list as I should have lately and 
found my solution buried back a couple months. On 30 July 2003 Matt 
Bernstein started a thread entitled "requiring encryption but not from 
localhost?", where Scott Adkins proposed a solution. I implemented 
something more or less like he proposed, and it worked. Specifically, I 
created a second imapd.conf (imapd-local.conf) and configured it with 
allowplaintext: yes. Then, I edited my cyrus.conf to look like the 
following:

imaplocal   cmd="imapd -U 30 -C /etc/imapd-local.conf" listen="localhost:ima
plocal" prefork=0 maxchild=100
imap        cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
imaps       cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100

I couldn't get imaplocal to listen localhost on the imap port, so I defined 
an "imaplocal" port in /etc/services as port 144, and pointed webmail at 
that. All is well now...webmail from localhost gets plaintext, and everyone 
else gets IMAPS or IMAP/STARTTLS.

Now I just need to finish documenting every mail client known to man... 
(Mozilla, Outlook, Eudora, Mac Mail, Mulberry, mutt, pine, etc).

Daniel

> This wasn't actually my original question, but if I set allowplaintext to
> no, my webmail no longer is able to connect (as it wants an unencrypted
> connection). So, I'll ask a more complicated question:
>
> Can I selectively allow 127.0.0.1 to connect plaintext? Alternately, can
> I allow port X to be plaintext (and limited via tcpwrappers) and have
> port Y be no plaintext? Hopefully I'm not being too confusing.




More information about the Info-cyrus mailing list