Forcing users to IMAPS?
list at joreybump.com
Wed Dec 14 18:13:58 EST 2005
Jeff Davis wrote:
> I'm in the process of getting a new server up and running and would like
> to force users to IMAPS, even if their client may not be configured to
> use it.
> Can anyone point me in the right direction as to the best way to
> accomplish this? Or do I need to suck it up and reconfigure the 1000
> clients I already have :(
I expose only IMAPS to the Internet, so users must use port 993 in order
to retrieve mail. I keep a normal IMAP connection available on localhost
for cyradm (I use saslauthd -a shadow for authentication). My cyrus.conf
contains these lines in the SERVICES section:
imap cmd="imapd" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
Even though cyrus supports STARTTLS on port 143, few clients do,
including cyradm. You do have the option of enforcing encrypted logins with:
How this works for you depends on the SASL mechanisms you use.
If you're allowing unencrypted plaintext logins already, you will
probably have to reconfigure clients, no matter what. IMAPS is a good
choice because it encrypts everything, not just the login, and is widely
supported (to the point where clients like Thunderbird automatically
change the port to 993 when the user selects SSL).
Keep in mind that if you use plaintext logins and IMAPS, nothing will
stop the user from repeatedly sending a password in the clear to port
143, whether it's available or not. That's why it's a good reason to
shut it off, so they have to fix the problem in order to read mail.
More information about the Info-cyrus