Disallow cleartext on the wire

Andrew Morgan morgan at orst.edu
Sun Jan 9 17:49:01 EST 2011 

On Sun, 9 Jan 2011, jonr at destar.net wrote:

> Hello List!
>
> I am going mad, mad as in crazy.
>
> CentOS 5.5
>
> Sendmail 8.13.8/8.13.8
>
> cyrus-imapd.x86_64        -2.3.7-7.el5_4.3
> cyrus-imapd-devel.x86_64  -2.3.7-7.el5_4.3
> cyrus-imapd-perl.x86_64   -2.3.7-7.el5_4.3
> cyrus-imapd-utils.x86_64  -2.3.7-7.el5_4.3
>
> cyrus-sasl.x86_64         -2.1.22-5.el5_4.3
> cyrus-sasl-devel.x86_64   -2.1.22-5.el5_4.3
>
> cyrus-sasl-gssapi.x86_64  -2.1.22-5.el5_4.3
> cyrus-sasl-lib.x86_64     -2.1.22-5.el5_4.3
> cyrus-sasl-md5.x86_64     -2.1.22-5.el5_4.3
> cyrus-sasl-plain.x86_64   -2.1.22-5.el5_4.3
>
>
> I am using Thunderbird to test with. I want completely disallow logins
> without TLS for IMAP.
>
> This is my /etc/imapd.conf
>
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd auxprop
>
>
> sasl_mech_list: LOGIN PLAIN
> allowplainwithouttls: 0
> allowanonymouslogins: 0
> virtdomains: userid
> tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
>
>
> I think maybe I am confused here. I thought 'allowplainwithouttls: O'
> would not allow cleartext passwords but now I am thinking it means
> only the PLAIN mech.
>
> Is that correct?
>
> If that is the case, how do I configure the server to only accept
> PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a
> packet capture on the session I can see the username and password in
> cleartext inside of my capture file.

        allowplaintext: 0
             Allow the use of cleartext passwords on the wire.

The default changed back in 2.3.something to disallow plaintext passwords 
by default.  If you want to make sure, set it in imapd.conf as:

   allowplaintext: 0

This will require a SSF > 0, which means either digest authentication or a 
protection layer like TLS and SSL.

When you connect without TLS on the standard imap port, you'll see the 
following in the CAPABILITY response:

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://xxx.oregonstate.edu/ STARTTLS LOGINDISABLED 
COMPRESS=DEFLATE] xxx.oregonstate.edu Cyrus IMAP Murder 
v2.3.15 server ready

Notice the LOGINDISABLED part.

After TLS is negotiated, a full CAPABILITY response is returned:

S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://xxx.oregonstate.edu/ AUTH=PLAIN SASL-IR ACL 
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE 
SCAN IDLE URLAUTH

Notice the AUTH=PLAIN part.

 	Andy

More information about the Info-cyrus mailing list