how to enable TLs encryption only ?

JOYDEEP j.bakshi at
Mon Apr 2 01:27:20 EDT 2007

Jorey Bump wrote:
> Olaf Fraczyk wrote:
>> On Fri, 2007-03-30 at 16:19 +0530, JOYDEEP wrote:
>>> I am a bit confused here. may be I am wrong but imaps is running at
>>> port
>>> 993 with SSL where imap with TLs is running at port 143.
>>> I need the imap + TLS.  I don't have any imaps entry in my imapd.conf.
>>> So could you all be a little bore verbose :-)
>>> thanks for the help so far.
>> I mean that if you want to force encryption on users you need to use
>> imaps. 
> It's not quite that simple. The documentation is less than clear on
> this, but the behaviour of the daemon is affected by various settings.
> For example, (on recent versions of Cyrus IMAP, at least) by enabling
> TLS:
>  tls_key_file: /path/to/key.pem
>  tls_cert_file: /path/to/cert.pem
> and setting these values:
>  sasl_pwcheck_method: auxprop
>  sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>  allowplaintext: 0
>  sasl_minimum_layer: 0
> Cyrus IMAP will perform some basic integrity checks appropriate to the
> mechanism used:
>  PLAIN is denied without negotiating STARTTLS first
>  LOGIN is denied without negotiating STARTTLS first
>  CRAM-MD5 is allowed without negotiating STARTTLS
>  DIGEST-MD5 is allowed without negotiating STARTTLS
> By enabling plaintext:
>  allowplaintext: 1
> It is now possible to use LOGIN without STARTTLS, but (on my system)
> PLAIN still requires STARTTLS. By adjusting sasl_minimum_layer, it is
> also possible to require encryption for the other mechanisms.
> So, yes, it is possible to enforce a variety of security levels on
> port 143. Getting this to match your local policy requires some
> tweaking. You may only care that authentication is encrypted, but not
> the message transfer. In that case, it's only necessary to enforce TLS
> for PLAIN and LOGIN.
> imtest is indispensible for testing your configuration. You can run it
> through its paces by specifying different mechanisms:
>  imtest -u bob -a bob -m PLAIN
> and adding TLS negotiation:
>  imtest -u bob -a bob -m PLAIN -t ""
> The output is verbose and will help you to understand how your server
> is configured. Remember to logout with:
> . logout
>> If you have imap + TLS it is up to the client to decide if it wants to
>> upgrade the "clear text" connection to TLS.
>> Disabling imap disallows connection of clients and sending clear text
>> passwords on the wire :)
>> You may consider (not technically 100% accurate):
>> imaps=imap+TLS_always_on.
> Well, this is only true if you've configured imapd to run in SSL
> wrapper mode with the -s flag (not the same as STARTTLS):
>  imaps  cmd="imapd -s" listen="imaps" prefork=0
> You can do that on any port, even 143 (not recommended).
> It's still a good idea to configure imaps (on port 993), since client
> support for STARTTLS is still relatively recent. There are a lot of
> legacy clients that can't negotiate STARTTLS, but can handle imaps
> (SSL) just fine.

Dear Jorey and all the responders,

thanks a lot for so in depth discussion.  I have already enabled SSL
encryption :-)   as  I have come to know from some documentation that
the STARTTLS is stillnot very standard and the client side support for
it is not become standard too.

and  now I am going for the secured authentication.
I may be permitted to give here the so that you can suggest the
necessary tweaking I need.

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sievedir: /var/lib/sieve

admins: cyrus
allowplaintext: yes
sasl_mech_list: LOGIN PLAIN
allowanonymouslogin: no
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
#auxprop saslauthd
#sasl_auxprop_plugin: sasldb2

lmtp_overquota_perm_failure: no
lmtp_downcase_rcpt: yes
# if you want TLS, you have to generate certificates and keys
tls_cert_file: /etc/openldap/myca/servercert.pem
tls_key_file:  /etc/openldap/myca/serverkey.pem
tls_ca_file:  /etc/openldap/myca/cacert.pem
tls_ca_path:  /etc/openldap/myca/
tls_require_cert: no
tlscache_db: berkeley

unixhierarchysep:  yes
virtdomains:       yes


hashimapspool: true
lmtpsocket:  /var/lib/imap/socket/lmtp

thanks to all of you

More information about the Info-cyrus mailing list