cyradm & allowplaintext: no

Ken Murchison murch at
Wed Nov 16 21:33:23 EST 2005

Jorey Bump wrote:
> I'm trying to harden cyrus-imapd by disallowing unencrypted plaintext 
> logins. Here is my imapd.conf:
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> # admins should not receive mail
> admins: cyrus
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN LOGIN
> tls_cert_file: /etc/ssl/certs/imapd.pem
> tls_key_file: /etc/ssl/certs/imapd.pem
> # don't allow plaintext logins without STARTTLS or encryption
> allowplaintext: no
> This works as expected, but now I can't login with the command line cyradm:
> cyradm -u cyrus
> IMAP Password:
>               Login only available under a layer at 
> /usr/local/lib/perl5/site_perl/5.8.7/i686-linux/Cyrus/IMAP/ line 
> 118
> cyradm: cannot authenticate to server with  as cyrus
> When I change allowplaintext to yes, it works again. I don't want to 
> allow users to send their passwords in the clear, but I want to 
> administer cyrus from the command line. Is there a way to do this?

cyradm doesn't support STARTTLS yet, so you'll have to allow a 
non-plaintext SASL mech, or run a separate instance of imapd which 
listens only on localhost and uses its own imapd.conf.localhost which 
allows plaintext.

Kenneth Murchison
Systems Programmer
Carnegie Mellon University

More information about the Info-cyrus mailing list