Disallowing PLAIN login without TLS

Patrick Radtke phr2101 at columbia.edu
Wed Mar 29 11:04:18 EST 2006 

We just use
allowplaintext: no

that stops plaintext logins and will require the session to be  
encrypted before the PLAIN mechanism is used

-Patrick


On Mar 29, 2006, at 10:05 AM, Nikola Milutinovic wrote:

> Hi all.
>
> I am setting up our internal IMAP server.
>
> Open SUSE Linux 10.0
> Cyrus IMAP 2.2.12-13 (unlucky :-))
> Cyrus SASL 2.1.21-3
>
> I would like to ban PLAIN without TLS, but can't seam to pinpoint  
> the right
> config combination. We either ban all PLAIN logins (with and  
> without TLS) or
> allow them all. The client is Thunderbird 1.5. This is what we have  
> so far in
> the imapd.conf:
>
> ###################################################################### 
> #############
> #                                    Login
> ###################################################################### 
> #############
>
> allowanonymouslogin:                    no
> allowplaintext:                         yes
> allowplainwithouttls:                   no
> loginuseacl:                            no
> plaintextloginpause:                    0
> normalizeuid:                           yes
> # loginrealms: <list of realms for cross-auth>
>
> ###################################################################### 
> #############
> #                                     SASL
> ###################################################################### 
> #############
>
> sasl_auto_transition:                   no
> sasl_maximum_layer:                     256
> sasl_minimum_layer:                     56
> sasl_pwcheck_method:                    saslauthd
> # sasl_<option>: Any SASL option can be set by preceeding it with  
> "sasl_".
> # srvtab: The pathname of srvtab file containing the server's  
> private key.
>
> This is letting us authenticate using PLAIN. When we change  
> "allowplainlogin"
> to "yes", we can login using PLAIN, although "allowplainwithouttls"  
> is set to
> "no". In my opinion, both that setting and "SASL min SSF = 56"  
> should have cut
> off login via PLAIN. Any ideas?
>
> Nix.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ----
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list