Re: requiring encryption but not from localhost?

Wed, 30 Jul 2003 06:35:20 -0700

--On Wednesday, July 30, 2003 1:13 PM +0100 Matt Bernstein <mb/[EMAIL PROTECTED]> wrote:

At 13:47 +0200 Sebastian Hagedorn wrote:

--On Mittwoch, 30. Juli 2003 12:21 Uhr +0100 Matt Bernstein
<mb/[EMAIL PROTECTED]> wrote:

I forgot to say that at present we still need the use of the PLAIN
mechanism. Is it possible to only accept PLAIN (and LOGIN, for that
matter) after TLS or on the imaps port?

Sure:

allowplaintext: no

Wrong.

      allowplaintext: yes
            Allow the use of the SASL PLAIN mechanism.

Sorry.
Matt


Actually, I believe you were right the first time around, with "no" being
the correct answer.  I believe setting it to "no" means that you can't
connect to the standard IMAP port and issue a plain text login without
first issuing a STARTTLS command.  Going to the IMAPS port is no issue.
This is how we have it configured on our sysetems and it works as desired.

Part of the questions I have seen related to the topic (I haven't followed
all that close to the discussion) is two-fold:

 1) Only allow plain text logins from localhost (meaning, you can login
       on the IMAP port without using STARTTLS):

SOLUTION:

    In /etc/imapd.conf (the default file), have allowplaintext:no in it.
    In another config file, maybe /etc/imapd-local.conf, have yes as the
    value of that paramter.  Then in your cyrus.conf file, you can call
    the services like the following:

    imap       cmd="imapd" listen="hostname:imap"
    imapp      cmd="imapd -C /etc/imapd-local.conf" listen="localhost:imap"
    imaps      cmd="imapd -s" listen="imaps"

    This is off the top of my head, so you might want to check to the man
    pages to make sure I have it right.  You have to specify your machine's
    hostname in the listen parameter of "imap", since the default is to
    listen on all interfaces (including localhost), thus causing the next
    line to likely fail with a bind error.

 2) How to accept plain text logins only after SSL/TLS has been initiated.
    SOLUTION is described above with allowplaintext:no in the config file.

Scott
--
+-----------------------------------------------------------------------+
     Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
  UNIX Systems Engineer                  mailto:[EMAIL PROTECTED]
       ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
+-----------------------------------------------------------------------+
    PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to