how are 'sasl_minimum_layer' & TLS related/dependent?

Cristian Mitrana cristian.mitrana at online.ie
Sun Oct 9 03:57:17 EDT 2005


* OpenMacNews <openmacnews at speakeasy.net> [09-10-05 08:34]:
 
> hi all,
> 
> i'm connecting to my cyrus-imap 2.2.12-cvs server on OSX 10.4.2 with a Thunderbird v107 client.
> i've configured for TLS use, with imapd.conf including:
> 
> 	sasl_minimum_layer:     128
> 	sasl_mech_list:         PLAIN
> 	allowplaintext:         no
> 
> i can login successfully, & my TBird protocol log shows TLS 'protection':
> 
> 	40102400[5160f90]: 2330600:mail.testdomain.com:NA:CreateNewLineFromSocket: 1 OK Success (tls
> protection)
> 
> per a long-ago post:
> 
> 	Re: is TLS/SSL selection/connection ONLY via port 993?
> 	http://www.irbs.net/internet/info-cyrus/0411/0216.html
> 	from: Henrique de Moraes Holschuh
> 
> my understanding was that 'sasl_minimum_layer' >= 64 (128?) was *REQUIRED* for TLS protection ...

 it should be required from the client's point of view and not from the
server. But sasl_minimum_layer is set up to > 64 even without encryption,
just with integrity protection (e.g. DIGEST-MD5 without TLS yields an ssf
of 128).
 here is a snippet of a imtest session: 

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
[..]
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 128
x logout
* BYE LOGOUT received
x OK Completed
 
 if I set sasl_minimum_layer to 128 then I cannot login with cram-md5 (without
 SSL/TLS), here is the cyrus log:

badlogin: host [10.1.0.3] PLAIN [SASL(-4): no mechanism available: mech CRAM-MD5 is too weak]

and the imtest response was:
[...]
S: C01 OK Completed
C: A01 AUTHENTICATE CRAM-MD5
S: A01 NO mechanism too weak for this user
Authentication failed. generic failure
Security strength factor: 0

But with SSL involved this works:
[..]
S: C01 OK Completed
C: A01 AUTHENTICATE CRAM-MD5
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256

> 
> BUT, my config _seems_ to be insenitive to it.
> 
> if i change my imapd.conf entry to:
> 
> 	sasl_minimum_layer:     0
> 
> i would have expected the connect to fail, but i *still* get TLS enabled:
> 
> 	38991872[53b89c0]: 26a2c00:mail.testdomain.com:NA:CreateNewLineFromSocket: 1 OK Success (tls
> protection)

 Obviously if you have not modified the client's settings and you were
getting TLS protection this was not going to fail.

> ### QUESTION: ###
> what *is* the relationship/dependency of sasl_minimum_layer & TLS?
> 

TLS increases the SSF (security strength factor) and sasl_minimum_layer
enforces a minumum SSF. See man imapd.conf for reference. Please note that
using an authentication mech that provides integrity (such as DIGEST-MD5 or
GSSAPI) increases the SSF also (see my example on DIGEST-MD5 without SSL/TLS).
 
> one 'suspect' ... to connect via TLS, TBird *requires* the following setup:
> 
> 	Account Settings>(this account)>Server Settings
> 		Server Type: IMAP Mail Server
> 		Server Name: {mail.testdomain.com}
> 		Port: {993} Default: 993
> 
> 		[x] Use secure connection (SSL)
> 		[ ] Use secure authentication
> 
> that "Use secure connection (SSL)" *must be checked ...
> 
> per that earlier referenced post:
> 
> 	"imapd -s is for IMAP connections that are externally wrapped by SSL (bad).
> 	imapd is for non-encrypted IMAP connections, and IMAP connections that use
> 	TLS (good)."
> 
> is there, perhaps, an 'issue' with the port993 use defaulting to some minimum_layer strength
> despite my imapd.conf setting?

 Traditionally port 993 is for imaps (that it IMAP/SSL) in which the client
starts connects 'directly' over a SSL connection and negotiates encryption,
it's not like TLS/STARTTLS in which the client starts in plain text the
connection and chooses to use TLS (and issues a STARTTLS command) or not.

 I suspect TB uses IMAPS and always negotiates SSL before atempting to
 issue any IMAP commands and before even authenticating.

 Try imtest, it always shows you SSF, and try to configure TB on port 143
to see if it uses STARTTLS to encrypt the connection.

> confused here ... any insight would be much appreciated!
> 
> thx!
> 

 Try man imapd.conf for the sasl_minimum|maximum_ssf and play around with
imtest ( hint: use -t '' for SSL/TLS ) to see how sasl_minimum_layer is
enforced by cyrus.
 
hth,

mitu



More information about the Info-cyrus mailing list