Not sure about security?

Simon Matter simon.matter at
Fri Jan 14 02:08:15 EST 2005

> I'm not quite sure if I understand.  I'm using FC3 and
> this is my config file:
> imap.conf
> ******************************************************
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus root
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> tls_cert_file: /foo/bar.pem
> tls_key_file: /foo/bar.pem
> tls_ca_file: /foo/bar.crt
> allowanonymouslogin: no
> ******************************************************
> So, is this secure or not?  When a user logs in, it is
> through SSL?  Right?  That means the login and
> password are encrypted, and even though the password
> is plain, it's still unreadable by someone with a
> network sniffer because it's encrypted.  Right?  Wrong?

Whether you have configured SSL/TLS we can't see in imapd.conf, it's in
cyrus.conf. Usually it's possible to connect cleartest and SSL/TLS, you
could also prevent people from doing it by different means.
Anyway, if someone connects with SSL/TLS, the password IS secure as well
as the payload. What people usually forget is that with a secure password
mech, only the password is protected, not the payload transferred over the
wire. Which means if you have important mails, you always want SSL/TLS and
the you can use PLAIN passwords without any problem.


Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list