imapd.conf parameter: sasl_minimum_layer not working as advertised

Kevin cyrus at
Tue Nov 8 08:13:44 EST 2005

Hi Folks-

I'm using Cyrus IMAPd v2.2.12.

I'd like to allow clients to authenticate using the plaintext mechanism,
but only if those connections are secured with TLS.  Is there a way to
do so?

I have the following settings in imapd.conf:

sasl_minimum_layer:     56
allowplaintext:         yes

But I can still connect to the server with unencrypted connections and
do plaintext authentication.

According to man imapd.conf:

sasl_minimum_layer: 0
 The  minimum  SSF  that the server will allow a client to negotiate.  A
 value of 1 requires integrity protection; any higher value requires
 some  amount  of  encryption.

Before using the sasl_minimum_layer parameter at all, the server was
allowing plaintext logins that were encrypted with TLS and those that
were not.  I figured that by setting this parameter to 2, I would
accomplish my goal of allowing plaintext logins but only if encrypted
with TLS and denying unencrypted plaintext logins.  When the setting of
2 failed, I tried 56, but it too allows unencrypted plaintext

Is this a bug or am I missing something?



More information about the Info-cyrus mailing list