Forcing users to IMAPS?

[Jorey Bump]

Jeff Davis wrote:
> I'm in the process of getting a new server up and running and would like 
> to force users to IMAPS, even if their client may not be configured to 
> use it.
> 
> Can anyone point me in the right direction as to the best way to 
> accomplish this?  Or do I need to suck it up and reconfigure the 1000 
> clients I already have :(

I expose only IMAPS to the Internet, so users must use port 993 in order 
to retrieve mail. I keep a normal IMAP connection available on localhost 
for cyradm (I use saslauthd -a shadow for authentication). My cyrus.conf 
contains these lines in the SERVICES section:

   imap          cmd="imapd" listen="localhost:imap" prefork=0
   imaps         cmd="imapd -s" listen="imaps" prefork=0
   pop3s         cmd="pop3d -s" listen="pop3s" prefork=0

Even though cyrus supports STARTTLS on port 143, few clients do, 
including cyradm. You do have the option of enforcing encrypted logins with:

  allowplaintext: no

How this works for you depends on the SASL mechanisms you use.

If you're allowing unencrypted plaintext logins already, you will 
probably have to reconfigure clients, no matter what. IMAPS is a good 
choice because it encrypts everything, not just the login, and is widely 
supported (to the point where clients like Thunderbird automatically 
change the port to 993 when the user selects SSL).

Keep in mind that if you use plaintext logins and IMAPS, nothing will 
stop the user from repeatedly sending a password in the clear to port 
143, whether it's available or not. That's why it's a good reason to 
shut it off, so they have to fix the problem in order to read mail.