imapd.conf parameter: sasl_minimum_layer not working as advertised

Ken Murchison murch at
Tue Nov 8 09:03:51 EST 2005

Kevin wrote:
> Hi Folks-
> I'm using Cyrus IMAPd v2.2.12.
> I'd like to allow clients to authenticate using the plaintext mechanism,
> but only if those connections are secured with TLS.  Is there a way to
> do so?
> I have the following settings in imapd.conf:
> sasl_minimum_layer:     56
> allowplaintext:         yes
> But I can still connect to the server with unencrypted connections and
> do plaintext authentication.
> According to man imapd.conf:
> sasl_minimum_layer: 0
>  The  minimum  SSF  that the server will allow a client to negotiate.  A
>  value of 1 requires integrity protection; any higher value requires
>  some  amount  of  encryption.
> Before using the sasl_minimum_layer parameter at all, the server was
> allowing plaintext logins that were encrypted with TLS and those that
> were not.  I figured that by setting this parameter to 2, I would
> accomplish my goal of allowing plaintext logins but only if encrypted
> with TLS and denying unencrypted plaintext logins.  When the setting of
> 2 failed, I tried 56, but it too allows unencrypted plaintext
> authentication.
> Is this a bug or am I missing something?

What you want is:

allowplaintext: no

Kenneth Murchison
Systems Programmer
Carnegie Mellon University

More information about the Info-cyrus mailing list