missing plain authentication explained?

Phil Pennock info-cyrus-spodhuis at spodhuis.org
Sat Jul 22 15:26:35 EDT 2006

On 2006-07-21 at 19:15 -0700, Ross Boylan wrote:
> I'm not entirely clear about whether PLAIN can be used, even if not
> advertised, if the session is not secure.  Since I'm doing everything
> on one box, it's not a big security risk (I think).

How about modifying cyrus.conf so that the listen directives say
listen="" and make the cmd="imapd -p 10" or some other

"1" means integrity protection but no confidentiality.  OpenLDAP uses 71
for "unix-domain socket" (and yes, Cyrus IMAPd works with a Unix-domain
socket but most MUAs don't).  10 seems a reasonable middle ground for
"loopback, which is safe enough if I enable antispoof protection"; since
Unix uses a weak end-system model, where one IP address can be reached
from another interface, you'll need to make sure that your host's
packet-filter prevents packets addressed to arriving on the
"Everything has three factors: politics, money, and the right way to do it.
 In that order."  -- Gary Donahue

More information about the Info-cyrus mailing list