cyradm & allowplaintext: no

Jorey Bump list at
Wed Nov 16 21:59:30 EST 2005

Ken Murchison wrote:
> Jorey Bump wrote:
>> I'm trying to harden cyrus-imapd by disallowing unencrypted plaintext 
>> logins. Here is my imapd.conf:
>> configdirectory: /var/imap
>> partition-default: /var/spool/imap
>> # admins should not receive mail
>> admins: cyrus
>> sasl_pwcheck_method: saslauthd
>> sasl_mech_list: PLAIN LOGIN
>> tls_cert_file: /etc/ssl/certs/imapd.pem
>> tls_key_file: /etc/ssl/certs/imapd.pem
>> # don't allow plaintext logins without STARTTLS or encryption
>> allowplaintext: no
>> This works as expected, but now I can't login with the command line 
>> cyradm:
>> cyradm -u cyrus
>> IMAP Password:
>>               Login only available under a layer at 
>> /usr/local/lib/perl5/site_perl/5.8.7/i686-linux/Cyrus/IMAP/ 
>> line 118
>> cyradm: cannot authenticate to server with  as cyrus
>> When I change allowplaintext to yes, it works again. I don't want to 
>> allow users to send their passwords in the clear, but I want to 
>> administer cyrus from the command line. Is there a way to do this?
> cyradm doesn't support STARTTLS yet, so you'll have to allow a 
> non-plaintext SASL mech, or run a separate instance of imapd which 
> listens only on localhost and uses its own imapd.conf.localhost which 
> allows plaintext.

Thanks, Ken. Not many email clients support STARTTLS on port 143, 
either, so I'll continue to restrict my users to port 993 (imaps). I've 
edited cyrus.conf to bind port 143 to localhost so I can use PLAIN with 

   imap          cmd="imapd" listen="localhost:imap" prefork=0
   imaps         cmd="imapd -s" listen="imaps" prefork=0

Hopefully cyradm will support STARTTLS when it becomes more popular. 
Non-plaintext mechanisms are nice, but I want to encrypt the entire 
transfer, not just the password.

More information about the Info-cyrus mailing list