Disallowing PLAIN login without TLS
Nikola Milutinovic
alokin1 at yahoo.com
Wed Mar 29 10:05:32 EST 2006
Hi all.
I am setting up our internal IMAP server.
Open SUSE Linux 10.0
Cyrus IMAP 2.2.12-13 (unlucky :-))
Cyrus SASL 2.1.21-3
I would like to ban PLAIN without TLS, but can't seam to pinpoint the right
config combination. We either ban all PLAIN logins (with and without TLS) or
allow them all. The client is Thunderbird 1.5. This is what we have so far in
the imapd.conf:
###################################################################################
# Login
###################################################################################
allowanonymouslogin: no
allowplaintext: yes
allowplainwithouttls: no
loginuseacl: no
plaintextloginpause: 0
normalizeuid: yes
# loginrealms: <list of realms for cross-auth>
###################################################################################
# SASL
###################################################################################
sasl_auto_transition: no
sasl_maximum_layer: 256
sasl_minimum_layer: 56
sasl_pwcheck_method: saslauthd
# sasl_<option>: Any SASL option can be set by preceeding it with "sasl_".
# srvtab: The pathname of srvtab file containing the server's private key.
This is letting us authenticate using PLAIN. When we change "allowplainlogin"
to "yes", we can login using PLAIN, although "allowplainwithouttls" is set to
"no". In my opinion, both that setting and "SASL min SSF = 56" should have cut
off login via PLAIN. Any ideas?
Nix.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Info-cyrus
mailing list