Not sure about security?
Simon Matter
simon.matter at ch.sauter-bc.com
Fri Jan 14 02:08:15 EST 2005
> I'm not quite sure if I understand. I'm using FC3 and
> this is my config file:
>
> imap.conf
> ******************************************************
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus root
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> tls_cert_file: /foo/bar.pem
> tls_key_file: /foo/bar.pem
> tls_ca_file: /foo/bar.crt
> allowanonymouslogin: no
> ******************************************************
>
> So, is this secure or not? When a user logs in, it is
> through SSL? Right? That means the login and
> password are encrypted, and even though the password
> is plain, it's still unreadable by someone with a
> network sniffer because it's encrypted. Right? Wrong?
Whether you have configured SSL/TLS we can't see in imapd.conf, it's in
cyrus.conf. Usually it's possible to connect cleartest and SSL/TLS, you
could also prevent people from doing it by different means.
Anyway, if someone connects with SSL/TLS, the password IS secure as well
as the payload. What people usually forget is that with a secure password
mech, only the password is protected, not the payload transferred over the
wire. Which means if you have important mails, you always want SSL/TLS and
the you can use PLAIN passwords without any problem.
HTH
Simon
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list