Odd problem: IMAP/S suddenly not working, but no errors, and IMAP still works
Dan White
dwhite at olp.net
Mon Nov 1 11:55:08 EDT 2010
On 01/11/10 11:27 -0400, Chris Pepper wrote:
>On 11/1/10 10:41 AM, Dan White wrote:
>>On 31/10/10 20:51 -0400, Chris Pepper wrote:
>>>Alternatively, is there a way to make sure Cyrus requires STARTTLS on
>>>143? I was blocking external access to it to make sure users always use
>>>encryption to connect, but port 143 with STARTTLS required would be an
>>>acceptable alternative.
>>
>>You can set 'allowplaintext: 0' to disallow plaintext logins over port 143.
>>That would require clients to perform a STARTTLS, or negotiate a SASL
>>security layer which meets your 'sasl_minimum_layer:' setting.
>
> Excellent, thanks!
>
>>allowplaintext: 0
>
>I am leaving sasl_minimum_layer at default for now. LOGINDISABLED before
>STARTTLS is encouraging, but I don't know why "Authentication failed.
>generic failure" *after* STARTTLS. On the other hand, with
>"allowplaintext: 0" and after restarting cyrus-imapd, I can still get
>mail, so I suspect this is exactly what I wanted.
After sending the first email, I noticed that you have a
sasl_pwcheck_method of saslauthd in your config. You probably also want a
'sasl_mech_list: plain login'. If you're depending on saslauthd to perform
your authentication, digest-md5 and cram-md5 should always fail.
--
Dan White
More information about the Info-cyrus
mailing list