TLS for proxy IMAP connections

Andrew Morgan morgan at orst.edu
Wed Oct 17 16:33:09 EDT 2012


On Mon, 15 Oct 2012, Andrew Morgan wrote:

> I run a standard Cyrus Murder on v2.4.16.  When I have "allowplaintext:0"
> on my frontends and "allowplaintext:1" on my backends, the frontends will
> not use TLS when proxying the connection to a backend, even if the
> frontend connection from the client used TLS or SSL.
>
> When I set "allowplaintext:0" on the backend, then the frontend will use
> TLS for the proxy connection.
>
> Shouldn't the frontend attempt to use TLS for the proxy connection if
> STARTTLS is advertised?

Digging through the 2.4.16 source code, I see this in imap/backend.c:

         /* If we don't have a usable mech, do TLS and try again */
     } while (r == SASL_NOMECH && CAPA(s, CAPA_STARTTLS) &&
              do_starttls(s, &prot->tls_cmd) != -1 &&

So it appears that backend_authenticate will only use TLS if it is 
required.  I'll look into changing my allowplaintext setting to require 
TLS/SSL.

> On a related note, will a frontend ever make an IMAP-SSL proxy connection
> to a backend?  I ask because I want to set my maxchild parameter correctly
> on my backends.  Right now, all connections seem to be proxied to the
> "imap" service and none are made on the "imaps" service.

In my testing, even with allowplaintext:0 on the backend, an IMAP-SSL 
(port 993) frontend connection uses a IMAP-TLS (port 143 with STARTTLS) 
backend connection.

This is fine.  I just needed to know so I can set maxchild correctly on my 
backends.

 	Andy


More information about the Info-cyrus mailing list