Disallow cleartext on the wire
jonr at destar.net
jonr at destar.net
Sun Jan 9 19:55:02 EST 2011
Quoting Andrew Morgan <morgan at orst.edu>:
> On Sun, 9 Jan 2011, jonr at destar.net wrote:
>
>> Hello List!
>>
>> I think maybe I am confused here. I thought 'allowplainwithouttls: O'
>> would not allow cleartext passwords but now I am thinking it means
>> only the PLAIN mech.
>>
>> Is that correct?
>>
>> If that is the case, how do I configure the server to only accept
>> PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a
>> packet capture on the session I can see the username and password in
>> cleartext inside of my capture file.
>
> allowplaintext: 0
> Allow the use of cleartext passwords on the wire.
>
> The default changed back in 2.3.something to disallow plaintext
> passwords by default. If you want to make sure, set it in
> imapd.conf as:
>
> allowplaintext: 0
>
> This will require a SSF > 0, which means either digest
> authentication or a protection layer like TLS and SSL.
>
> When you connect without TLS on the standard imap port, you'll see
> the following in the CAPABILITY response:
>
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID
> MUPDATE=mupdate://xxx.oregonstate.edu/ STARTTLS LOGINDISABLED
> COMPRESS=DEFLATE] xxx.oregonstate.edu Cyrus IMAP Murder v2.3.15
> server ready
>
> Notice the LOGINDISABLED part.
>
> After TLS is negotiated, a full CAPABILITY response is returned:
>
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID
> MUPDATE=mupdate://xxx.oregonstate.edu/ AUTH=PLAIN SASL-IR ACL
> RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
> SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
> CATENATE CONDSTORE SCAN IDLE URLAUTH
>
> Notice the AUTH=PLAIN part.
>
> Andy
>
Perfect, thanks Andy.
Jon
More information about the Info-cyrus
mailing list