non-encrypted for local queries

[Raphael Jaffey]

Or, in the event you're only allowing access to port 143 from loopback 
and possibly a trusted LAN, you can also use:

imap_allowplaintext: yes
imap_sasl_minimum_layer: 0

in /etc/imapd.conf as port 993 is always protected.

We use

tls_cipher_list: !ADH:MEDIUM:HIGH

in /etc/imapd.conf, so sufficient encryption is required over SSL 
connections anyway.

Rafe

Dan White wrote:
> On 17/03/10 10:11 -0500, Raphael Jaffey wrote:
>> Use the following as the only "imapd" command configured in 
>> /etc/cyrus.conf to accept connections from localhost only:
>>
>> imap          cmd="imapd" listen="[127.0.0.1]:imap" prefork={number}
>>
>> You can restrict access to hosts from the LAN without using the 
>> firewall using at least a couple of methods:
>>
>> 1) Assuming cyrus was compiled with libwrap support, you can restrict 
>> access to the imap service in /etc/hosts.allow (or /etc/hosts.deny).
>>
>> 2) If the LAN you mentioned below is private (no access from other 
>> subnets and networks), you can use the following in /etc/cyrus.conf in 
>> addition to the entry I mentioned above:
>>
>> imap          cmd="imapd" listen="[{LAN-interface-address}]:imap" 
>> prefork={number}
> 
> Assuming that you have allowplaintext set to no, to disallow plaintext
> logins externally, then you'll want to add a '-p xxx' to the cyrus.conf
> entry that Raphael suggested (inside the cmd field), which will direct
> imapd to assume there is some protection layer for your local/LAN
> connections. See imapd(8).
> 

-- 
___________________________________________________________________________
Raphael Jaffey                             E-mail: rjaffey at artic.edu
Director of Network Services
The Art Institute of Chicago                Voice: (312) 629-6543
111 S. Michigan Ave, Chicago, IL  60603       FAX: (312) 641-3406