I'm currently operating a Cyrus server listening in the following configuration, and authenticating via PLAIN/LOGIN with a saslauthd backend (only relevant config lines listed):
imap cmd="imapd -U 30" listen="localhost:imap" imaps cmd="imapd -s -U 30" listen="imaps" pop3s cmd="pop3d -s -U 30" listen="pop3s"
The IMAPS and POP3S ports are for user interaction, and the IMAP port is for the local webmail client (which operates over apache and mod_ssl). I don't wish to offer any services in an unencrypted format.
My question is, can I offer the IMAP port to any client but configure it such that they are required to STARTTLS to communicate?
Assuming that you want to prevent plaintext passwords from being transmitted in the clear, set the following in imapd.conf:
allowplaintext: no
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
