Disallow cleartext on the wire
brong at fastmail.fm
Mon Jan 10 16:56:01 EST 2011
On Mon, Jan 10, 2011 at 11:22:51AM -0600, Dan White wrote:
> On 10/01/11 23:32 +1100, Bron Gondwana wrote:
> >On Mon, Jan 10, 2011 at 07:00:13AM -0500, Adam Tauno Williams wrote:
> >>On Sun, 2011-01-09 at 14:40 -0800, Dudi Goldenberg wrote:
> >>> >I am using Thunderbird to test with. I want completely disallow logins
> >>> >without TLS for IMAP.
> >>> Have a look at /etc/cyrus.conf:
> >>> Just hash out imap and restart cyrus.
> >>Incorrect. That disables IMAP (TCP/143) and leaves IMAP-over-SSL.
> >>Secure IMAP (IMAP w/TLS) still uses TCP/143. IMAP-over-SSL is rather
> >What war are you trying to win here? Stopping people using plaintext
> >connections, or stopping passwords being potentially exposed to snoopers?
> >Because "Secure IMAP" on port 143 just means that once the user has sent
> >their plaintext password over the wire already, you tell them to get lost
> >rather than let them in. It doesn't stop stupid client programs sending
> >the plaintext password out in the first place.
> That was addressed in RFC 3501, section 7.2.1 and presumably why the
> LOGINDISBLED response was created.
> If there are any imap clients that send over-the-wire cleartext passwords
> when server policy forbids it, then that would be grounds for a CVE report
> on that client.
> Running IMAP over 143 should be safe from over the wire snooping, if the
> server is properly configured.
Yeah, that's what's known as "wishful thinking" I suspect. Has anyone
actually done any testing on this?
> >IMAP-over-SSL does, because no client sends the password over the network
> >until it has a TCP connection - and it doesn't get one of them if it tries
> >to connect to port 143 and you don't have it turned on.
> >So what's so hackish about IMAP-over-SSL precisely?
> RFC 2595 discourages it and lists some reasons.
Sorry, I don't buy any of those reasons. "The server may be using a low
grade cipher" - so layer a better one inside, or don't use such an ancient
server. I think that's a past artifact. The "Secure vs Non-Secure" client
interface issues is a boat that's sailed sorry. Besides more clients are
auto-configuring anyway (see Thunderbird's ability to query a URL to get
configuration parameters) - or just probing both ports one-off and selecting
the SSL one if available.
Port numbers are a limited resource - ok, I'll credit that one - but the fact
is that you can't really take them back now. They're in use widely enough
that it's not going to change any time soon.
Sorry - there's wishful thinking, and there's the reality - and the reality
is that enabling just port 993 is safe against poor implementation in the way
that hoping everyone checked for "LOGINDISABLED" isn't.
More information about the Info-cyrus