TLS for proxy IMAP connections
Andrew Morgan
morgan at orst.edu
Wed Oct 17 16:33:09 EDT 2012
On Mon, 15 Oct 2012, Andrew Morgan wrote:
> I run a standard Cyrus Murder on v2.4.16. When I have "allowplaintext:0"
> on my frontends and "allowplaintext:1" on my backends, the frontends will
> not use TLS when proxying the connection to a backend, even if the
> frontend connection from the client used TLS or SSL.
>
> When I set "allowplaintext:0" on the backend, then the frontend will use
> TLS for the proxy connection.
>
> Shouldn't the frontend attempt to use TLS for the proxy connection if
> STARTTLS is advertised?
Digging through the 2.4.16 source code, I see this in imap/backend.c:
/* If we don't have a usable mech, do TLS and try again */
} while (r == SASL_NOMECH && CAPA(s, CAPA_STARTTLS) &&
do_starttls(s, &prot->tls_cmd) != -1 &&
So it appears that backend_authenticate will only use TLS if it is
required. I'll look into changing my allowplaintext setting to require
TLS/SSL.
> On a related note, will a frontend ever make an IMAP-SSL proxy connection
> to a backend? I ask because I want to set my maxchild parameter correctly
> on my backends. Right now, all connections seem to be proxied to the
> "imap" service and none are made on the "imaps" service.
In my testing, even with allowplaintext:0 on the backend, an IMAP-SSL
(port 993) frontend connection uses a IMAP-TLS (port 143 with STARTTLS)
backend connection.
This is fine. I just needed to know so I can set maxchild correctly on my
backends.
Andy
More information about the Info-cyrus
mailing list