how are 'sasl_minimum_layer' & TLS related/dependent?

OpenMacNews openmacnews at
Sun Oct 9 16:57:20 EDT 2005

Hash: RIPEMD160

hi mitu,

1st, THANKS very much for your time ... your comments have been a great guide!  =)

>>>>which, i think, is what i SHOULD be seeing
>>  yes, this is correct.


>>>>strangely, i still do NOT see STARTTLS advertised in TBird's imap session protocol log:


>> That's because the connection is already under the SSL layer, logging
>> was done by cyrus/imaps. Cyrus logs this connection as starttls and adds
>> 'no authentication'


>> It's perfectly normal.

aha.  THAT'S why 'no authentication' is there :-}

>>>>why do i have this sneaking suspicion that TBird's STARTTLS implementation is not 100% ... ?


>>  I forgot about TB's inability to support the 'STARTTLS' command and a
>> quick test at my server showed that.

ok, so i'm NOT losing my mind. (at least not on THIS issue ...)

>> TB (1.5beta2) and voila !

>>  This is TLS over the 143 port, which I cannot convince TB 1.0.7 to do.
>>  In the new TB build you have as security options
>>    [ ] TLS, if available
>>    [ ] TLS
>>    [ ] SSL.
>> there are the same settings TB has currently (1.0.7) for the SMTP server (which
>> has it's own STMP 'STARTTLS' command and smtps mode just as IMAP has).


>>  I cannot tell right now if the older Mozilla suite builds have the same
>> options as the recent Seamonkey build has, but since you use TB then it
>> means that for now you'll just use imaps and wait for a new release.

can't move to it yet, as most of the extensions i want aren't yet compatible :-/

but, that's good news on the horizon!


                              TO SUMMARIZE

... for those likewise interested, here's what i've "landed on", given mitu's help/clarification

my goal state:

	server == CyrusIMAP 2.2.12 cvs
	TBird v107
		TLS connection + encrypted login

	cyradm connection to server
		ONLY via: SSH TO server
		logging in to server's LOCALHOST intfc
		under encryption layer
				cyradm \
				--user my.admin \
				--auth DIGEST-MD5 \
				--port 143 \
				--server localhost

to make this all work (from now, until TBird 1.5b2 is an option for me ...),

since cyradm does NOT apparently have capability to login w/ TLS encryption, i've split my imap
config in two,

                #### QUESTION ####
		NOTE:  it is NOT clear to me, yet, whether sasl_minimum_layer > 129
                       has any further effect, as all allowed MECHS (plain, cram, digest)
                       are already forced to use TLS ...

                 i.e., is there ANY further difference between, e.g.,
                       "sasl_minimum_layer: 129" and "sasl_minimum_layer: 256"?


	# this is for all IMAP logins to mail server's EXTERNAL intfc
	# cyradm to EXTERNAL intfc will NOT work, reporting:
	#   badlogin: ... DIGEST-MD5 [SASL(-15): mechanism too weak for this user: mech DIGEST-MD5 is
too weak]

	sasl_mech_list:         PLAIN CRAM-MD5 DIGEST-MD5
	allowplaintext:         no
	sasl_minimum_layer:     129

	# if  'sasl_minimum_layer'  then CAPABILITY advertises
	#     -------------------        ------------------------------------------------------
	#             0                   STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5
	#             1-128               STARTTLS LOGINDISABLED AUTH=DIGEST-MD5
	#             >=129               STARTTLS LOGINDISABLED

	@include: imapd-common.conf


	# this defines/enables cyradm login for LOCALHOST, requiring
        # DIGEST-MD5's encryption 'strength'

	sasl_minimum_layer:     128
	sasl_mech_list:         DIGEST-MD5
	allowplaintext:         no

	@include: imapd-common.conf

with cyrus.conf config'd as:

	    imap         cmd="imapd    -C imapd.conf"       listen=""   prefork=1
	    imaps        cmd="imapd -s -C imapd.conf"       listen=""  prefork=1
	    imaplocal    cmd="imapd    -C imapd-local.conf" listen=""  prefork=1

finally, i've configured TBird v107 as:

	Account Settings>(this account)>Server Settings

		Server Type: IMAP Mail Server
		Server Name: {}
		Port: {993} Default: 993

		[x] Use secure connection (SSL)
		[x] Use secure authentication

	>Advanced ...

		IMAP server directory: (blank)
		[ ] Show only subscribed folders
		[X] Server support folders that contain sub-folders and messages
		[X] User IDLE command if the server supports it
		Maximum number of server connections to cache {5}
		Personal namespace: ""
		Public (shared): "Shared/"
		Other Users: "Users/"
		[X] Allow server to override these namespaces

for now, this gets me up/running & secure. =:-)

thx! again, mitu!



Version: GnuPG v1.4.2 (Darwin)


More information about the Info-cyrus mailing list