Disallow cleartext on the wire

Bron Gondwana brong at fastmail.fm
Mon Jan 10 07:32:27 EST 2011

On Mon, Jan 10, 2011 at 07:00:13AM -0500, Adam Tauno Williams wrote:
> On Sun, 2011-01-09 at 14:40 -0800, Dudi Goldenberg wrote: 
> > >I am using Thunderbird to test with. I want completely disallow logins  
> > >without TLS for IMAP.
> > Have a look at /etc/cyrus.conf:
> > 
> > Just hash out imap and restart cyrus.
> Incorrect. That disables IMAP (TCP/143) and leaves IMAP-over-SSL.
> Secure IMAP (IMAP w/TLS) still uses TCP/143.   IMAP-over-SSL is rather
> hackish.

What war are you trying to win here?  Stopping people using plaintext
connections, or stopping passwords being potentially exposed to snoopers?

Because "Secure IMAP" on port 143 just means that once the user has sent
their plaintext password over the wire already, you tell them to get lost
rather than let them in.  It doesn't stop stupid client programs sending
the plaintext password out in the first place.

IMAP-over-SSL does, because no client sends the password over the network
until it has a TCP connection - and it doesn't get one of them if it tries
to connect to port 143 and you don't have it turned on.

So what's so hackish about IMAP-over-SSL precisely?


More information about the Info-cyrus mailing list