Disallow cleartext on the wire

[Raphael Jaffey]

jonr at destar.net wrote:
> Hello List!
> 
> I am going mad, mad as in crazy.
> 
> CentOS 5.5
> 
> Sendmail 8.13.8/8.13.8
> 
> cyrus-imapd.x86_64        -2.3.7-7.el5_4.3
> cyrus-imapd-devel.x86_64  -2.3.7-7.el5_4.3
> cyrus-imapd-perl.x86_64   -2.3.7-7.el5_4.3
> cyrus-imapd-utils.x86_64  -2.3.7-7.el5_4.3
> 
> cyrus-sasl.x86_64         -2.1.22-5.el5_4.3
> cyrus-sasl-devel.x86_64   -2.1.22-5.el5_4.3
> 
> cyrus-sasl-gssapi.x86_64  -2.1.22-5.el5_4.3
> cyrus-sasl-lib.x86_64     -2.1.22-5.el5_4.3
> cyrus-sasl-md5.x86_64     -2.1.22-5.el5_4.3
> cyrus-sasl-plain.x86_64   -2.1.22-5.el5_4.3
> 
> 
> I am using Thunderbird to test with. I want completely disallow logins  
> without TLS for IMAP.
> 
> This is my /etc/imapd.conf
> 
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd auxprop
> 
> 
> sasl_mech_list: LOGIN PLAIN
> allowplainwithouttls: 0
> allowanonymouslogins: 0
> virtdomains: userid
> tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> 
> 
> I think maybe I am confused here. I thought 'allowplainwithouttls: O'  
> would not allow cleartext passwords but now I am thinking it means  
> only the PLAIN mech.
> 
> Is that correct?
> 
> If that is the case, how do I configure the server to only accept  
> PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a  
> packet capture on the session I can see the username and password in  
> cleartext inside of my capture file.
> 
> Thanks for any help,
> 
> Jon
> 
> 
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

It's been a while since I set this up, but I found I also needed to use 
the following:

sasl_minimum_layer: 128

Perhaps it's unecessary at this point...

Cheers,
Rafe