Plaintext only for loopback?

Jorey Bump list at joreybump.com
Mon Jan 14 09:10:01 EST 2008 

Chris Pepper wrote, at 01/13/2008 06:48 PM:

>     Arrgh! SquirrelMail offers plain, cram-md5, and digest-md5, and only 
> plain appears to work against /etc/shadow. I don't want the overhead of 
> running TLS over loopback, so I think I will have to do without forcing 
> secure auth for non-SSL IMAP/POP, and use the firewall to prevent 
> Internet users from connecting over the Internet w/o SSL (so I don't 
> have to worry about them unwisely using PLAIN or LOGIN over plaintext 
> connection).

Using TLS over loopback isn't entirely crazy, especially if webmail 
accounts only for a fraction of your service (unless your platform has a 
serious problem maintaining entropy).

There are also compelling reasons to switch to sasldb for mail accounts. 
  I used /etc/shadow for years, but I have to say I'm happy I switched, 
in spite of some of the negatives. The truth is that less than 1% of my 
mail users need shell accounts, so there's no incentive to create them 
as system users, and there's no obstacle to providing shells to the 
users that need them. Creating users in sasldb isn't that much harder, 
and is more in keeping with the black box paradigm employed by cyrus. 
Some mail clients use the md5 methods by default, or failover to them, 
so it's worth adding support. Give it a try, you might like it.

>     Pity. It would be nice to have the option of doing IMAP on the IMAP 
> port without worrying about unencrypted plaintext auth.
> 
>                         Thanks,
> 
>                         Chris
> PS-Bron, I don't want to deal with multiple instances, and I don't need 
> too, since I can firewall IMAP (non-SSL) and only let SquirrelMail 
> connect to port 143. I'm not looking forward to the SpamAssassin/ClamAV 
> sandwich on the SMTP side.

Don't co-opt a standard port for a nonstandard purpose. Bron & Phil have 
both indicated how Cyrus IMAP offers additional options. It's not always 
obvious in the documentation, but there are roughly three kinds of options:

  Global settings
  Named service settings
  Arguments

Don't be deceived by the service names in cyrus.conf; they are just 
arbitrary strings. You can create an imapd service dedicated to 
SquirrelMail and call it anything you want:

  imap   cmd="imapd" listen="192.168.1.100:143" prefork=0
  imaps  cmd="imapd -s" listen="imaps" prefork=0
  nuts   cmd="imapd" listen="localhost:143" prefork=0

Just make sure you avoid IP or port conflicts. Now you'll need to either 
  prefix the appropriate settings in imapd.conf for each named service:

  imap_tls_cert_file: /path/to/cert.crt
  imaps_tls_cert_file: /path/to/cert.crt
  nuts_tls_cert_file: disabled
  ...

Or simply create a dedicated configuration file for the new service, and 
specify it in cyrus.conf:

  nuts   cmd="imapd -C /etc/nuts.conf" listen="localhost:143" prefork=0

So, what you want to do is supported, it's just not intuitively obvious, 
because there's a fair amount of flexibility and interaction between 
settings at different levels.

NOTE: I've set this up in the past, but didn't confirm the examples 
above. Be sure to consult the documentation for your version of Cyrus 
IMAP. Using a separate imapd config file may be the safest way to get 
your alternate service running to your specifications without disrupting 
an existing configuration too much (and follow Bron's advice and version 
control everything).

More information about the Info-cyrus mailing list