> I'm not quite sure if I understand. I'm using FC3 and > this is my config file: > > imap.conf > ****************************************************** > configdirectory: /var/lib/imap > partition-default: /var/spool/imap > admins: cyrus root > sievedir: /var/lib/imap/sieve > sendmail: /usr/sbin/sendmail > hashimapspool: true > sasl_pwcheck_method: saslauthd > sasl_mech_list: PLAIN > tls_cert_file: /foo/bar.pem > tls_key_file: /foo/bar.pem > tls_ca_file: /foo/bar.crt > allowanonymouslogin: no > ****************************************************** > > So, is this secure or not? When a user logs in, it is > through SSL? Right? That means the login and > password are encrypted, and even though the password > is plain, it's still unreadable by someone with a > network sniffer because it's encrypted. Right? Wrong?
Whether you have configured SSL/TLS we can't see in imapd.conf, it's in cyrus.conf. Usually it's possible to connect cleartest and SSL/TLS, you could also prevent people from doing it by different means. Anyway, if someone connects with SSL/TLS, the password IS secure as well as the payload. What people usually forget is that with a secure password mech, only the password is protected, not the payload transferred over the wire. Which means if you have important mails, you always want SSL/TLS and the you can use PLAIN passwords without any problem. HTH Simon --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
