how to enable TLs encryption only ?

Jorey Bump list at joreybump.com
Mon Apr 2 09:40:02 EDT 2007 

JOYDEEP wrote:

> thanks a lot for so in depth discussion.  I have already enabled SSL
> encryption :-)   as  I have come to know from some documentation that
> the STARTTLS is stillnot very standard and the client side support for
> it is not become standard too.

Actually, it's very standardized and widely supported by nearly all new 
versions of client software. You only need to consider alternatives for 
existing legacy clients and perhaps newer buggy ones.

> and  now I am going for the secured authentication.
> I may be permitted to give here the main.cf so that you can suggest the
> necessary tweaking I need.

For the most part, this looks good.

> -------------------------------------------------------------------------------------------------
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> sievedir: /var/lib/sieve
> 
> admins: cyrus
> allowplaintext: yes

This is fine, as long as you've considered the risk and educated your 
users to use the most secure approach available. It's quite trivial to 
decode LOGIN authentication, if it can be sniffed on the wire.

> sasl_mech_list: LOGIN PLAIN

Consider supporting CRAM-MD5 and DIGEST-MD5 (see below).

> allowanonymouslogin: no
> autocreatequota: 10000
> reject8bit: no
> quotawarn: 90
> timeout: 30
> poptimeout: 10
> dracinterval: 0
> drachost: localhost

Are you actually using drac? It's hard to make a case for 
POP-before-SMTP, these days. I'd disable it in favor of per-user 
authentication.

> sasl_pwcheck_method: saslauthd

Consider switching to auxprop so you can support CRAM-MD5 and 
DIGEST-MD5. Administering sasldb2 is no harder than maintaining local 
system users, but I feel it narrows the risk. There are two sides to 
this argument, so do some research before you make your decision.

> #auxprop saslauthd
> #sasl_auxprop_plugin: sasldb2
> servername:linux.kolkatainfoservices.in
> 
> lmtp_overquota_perm_failure: no
> lmtp_downcase_rcpt: yes
> #
> # if you want TLS, you have to generate certificates and keys
> #
> tls_cert_file: /etc/openldap/myca/servercert.pem
> tls_key_file:  /etc/openldap/myca/serverkey.pem
> tls_ca_file:  /etc/openldap/myca/cacert.pem
> tls_ca_path:  /etc/openldap/myca/
> tls_require_cert: no
> tlscache_db: berkeley
> 
> unixhierarchysep:  yes

Do you need to support dots in usernames or mailboxes? This is purely a 
matter of choice, but not all systems support usernames with dots, so it 
may affect future migrations to other IMAP servers. I prefer to have 
logins without dots, but allow dots in the local part of aliases. Of 
course, if you have existing accounts that already contain dots, you'll 
probably need this for migration.

> virtdomains:       yes
> 
> defaultdomain: kolkatainfoservices.in
> loginrealms:   kolkatainfoservices.in
> 
> hashimapspool: true
> lmtpsocket:  /var/lib/imap/socket/lmtp

More information about the Info-cyrus mailing list