Jorey Bump wrote:
I'm trying to harden cyrus-imapd by disallowing unencrypted plaintext
logins. Here is my imapd.conf:
configdirectory: /var/imap
partition-default: /var/spool/imap
# admins should not receive mail
admins: cyrus
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
tls_cert_file: /etc/ssl/certs/imapd.pem
tls_key_file: /etc/ssl/certs/imapd.pem
# don't allow plaintext logins without STARTTLS or encryption
allowplaintext: no
This works as expected, but now I can't login with the command line cyradm:
cyradm -u cyrus example.com
IMAP Password:
Login only available under a layer at
/usr/local/lib/perl5/site_perl/5.8.7/i686-linux/Cyrus/IMAP/Admin.pm line
118
cyradm: cannot authenticate to server with as cyrus
When I change allowplaintext to yes, it works again. I don't want to
allow users to send their passwords in the clear, but I want to
administer cyrus from the command line. Is there a way to do this?
cyradm doesn't support STARTTLS yet, so you'll have to allow a
non-plaintext SASL mech, or run a separate instance of imapd which
listens only on localhost and uses its own imapd.conf.localhost which
allows plaintext.
--
Kenneth Murchison
Systems Programmer
Carnegie Mellon University
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
