how to enable TLs encryption only ?

Jorey Bump list at joreybump.com
Fri Mar 30 08:42:00 EST 2007 

Olaf Fraczyk wrote:
> On Fri, 2007-03-30 at 16:19 +0530, JOYDEEP wrote:
>>
>> I am a bit confused here. may be I am wrong but imaps is running at port
>> 993 with SSL where imap with TLs is running at port 143.
>> I need the imap + TLS.  I don't have any imaps entry in my imapd.conf.
>> So could you all be a little bore verbose :-)
>> thanks for the help so far.
>>
> I mean that if you want to force encryption on users you need to use
> imaps. 

It's not quite that simple. The documentation is less than clear on 
this, but the behaviour of the daemon is affected by various settings. 
For example, (on recent versions of Cyrus IMAP, at least) by enabling TLS:

  tls_key_file: /path/to/key.pem
  tls_cert_file: /path/to/cert.pem

and setting these values:

  sasl_pwcheck_method: auxprop
  sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
  allowplaintext: 0
  sasl_minimum_layer: 0

Cyrus IMAP will perform some basic integrity checks appropriate to the 
mechanism used:

  PLAIN is denied without negotiating STARTTLS first
  LOGIN is denied without negotiating STARTTLS first
  CRAM-MD5 is allowed without negotiating STARTTLS
  DIGEST-MD5 is allowed without negotiating STARTTLS

By enabling plaintext:

  allowplaintext: 1

It is now possible to use LOGIN without STARTTLS, but (on my system) 
PLAIN still requires STARTTLS. By adjusting sasl_minimum_layer, it is 
also possible to require encryption for the other mechanisms.

So, yes, it is possible to enforce a variety of security levels on port 
143. Getting this to match your local policy requires some tweaking. You 
may only care that authentication is encrypted, but not the message 
transfer. In that case, it's only necessary to enforce TLS for PLAIN and 
LOGIN.

imtest is indispensible for testing your configuration. You can run it 
through its paces by specifying different mechanisms:

  imtest -u bob -a bob -m PLAIN mail.example.com

and adding TLS negotiation:

  imtest -u bob -a bob -m PLAIN -t "" mail.example.com

The output is verbose and will help you to understand how your server is 
configured. Remember to logout with:

. logout

> If you have imap + TLS it is up to the client to decide if it wants to
> upgrade the "clear text" connection to TLS.
> Disabling imap disallows connection of clients and sending clear text
> passwords on the wire :)
> You may consider (not technically 100% accurate):
> imaps=imap+TLS_always_on.

Well, this is only true if you've configured imapd to run in SSL wrapper 
mode with the -s flag (not the same as STARTTLS):

  imaps  cmd="imapd -s" listen="imaps" prefork=0

You can do that on any port, even 143 (not recommended).

It's still a good idea to configure imaps (on port 993), since client 
support for STARTTLS is still relatively recent. There are a lot of 
legacy clients that can't negotiate STARTTLS, but can handle imaps (SSL) 
just fine.

More information about the Info-cyrus mailing list