Odd problem: IMAP/S suddenly not working, but no errors, and IMAP still works

Chris Pepper pepper at cbio.mskcc.org
Mon Nov 1 11:27:07 EDT 2010 

On 11/1/10 10:41 AM, Dan White wrote:
> On 31/10/10 20:51 -0400, Chris Pepper wrote:
>> Alternatively, is there a way to make sure Cyrus requires STARTTLS on
>> 143? I was blocking external access to it to make sure users always use
>> encryption to connect, but port 143 with STARTTLS required would be an
>> acceptable alternative.
>
> You can set 'allowplaintext: 0' to disallow plaintext logins over port 143.
> That would require clients to perform a STARTTLS, or negotiate a SASL
> security layer which meets your 'sasl_minimum_layer:' setting.

	Excellent, thanks!

> allowplaintext: 0

	I am leaving sasl_minimum_layer at default for now. LOGINDISABLED before STARTTLS is encouraging, but I don't know why "Authentication failed. generic failure" *after* STARTTLS. On the other hand, with "allowplaintext: 0" and after restarting cyrus-imapd, I can still get mail, so I suspect this is exactly what I wanted.

Thanks,

Chris

> [root at inspector ~]# imtest -u pepper -t "" localhost
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] mail.reppep.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
> S: C01 OK Completed
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=LOGIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
> S: C01 OK Completed
> Please enter your password:
> C: A01 AUTHENTICATE PLAIN ****
> S: A01 NO authentication failure
> Authentication failed. generic failure
> Security strength factor: 256

-- 
Chris Pepper:                <http://cbio.mskcc.org/>
                              <http://www.extrapepperoni.com/>

More information about the Info-cyrus mailing list