cyradm & allowplaintext: no
Ken Murchison
murch at andrew.cmu.edu
Wed Nov 16 21:33:23 EST 2005
Jorey Bump wrote:
> I'm trying to harden cyrus-imapd by disallowing unencrypted plaintext
> logins. Here is my imapd.conf:
>
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> # admins should not receive mail
> admins: cyrus
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN LOGIN
> tls_cert_file: /etc/ssl/certs/imapd.pem
> tls_key_file: /etc/ssl/certs/imapd.pem
> # don't allow plaintext logins without STARTTLS or encryption
> allowplaintext: no
>
> This works as expected, but now I can't login with the command line cyradm:
>
> cyradm -u cyrus example.com
> IMAP Password:
> Login only available under a layer at
> /usr/local/lib/perl5/site_perl/5.8.7/i686-linux/Cyrus/IMAP/Admin.pm line
> 118
> cyradm: cannot authenticate to server with as cyrus
>
> When I change allowplaintext to yes, it works again. I don't want to
> allow users to send their passwords in the clear, but I want to
> administer cyrus from the command line. Is there a way to do this?
cyradm doesn't support STARTTLS yet, so you'll have to allow a
non-plaintext SASL mech, or run a separate instance of imapd which
listens only on localhost and uses its own imapd.conf.localhost which
allows plaintext.
--
Kenneth Murchison
Systems Programmer
Carnegie Mellon University
More information about the Info-cyrus
mailing list