Ken Murchison wrote:
Jorey Bump wrote:
I'm trying to harden cyrus-imapd by disallowing unencrypted plaintext
logins. Here is my imapd.conf:
configdirectory: /var/imap
partition-default: /var/spool/imap
# admins should not receive mail
admins: cyrus
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
tls_cert_file: /etc/ssl/certs/imapd.pem
tls_key_file: /etc/ssl/certs/imapd.pem
# don't allow plaintext logins without STARTTLS or encryption
allowplaintext: no
This works as expected, but now I can't login with the command line
cyradm:
cyradm -u cyrus example.com
IMAP Password:
Login only available under a layer at
/usr/local/lib/perl5/site_perl/5.8.7/i686-linux/Cyrus/IMAP/Admin.pm
line 118
cyradm: cannot authenticate to server with as cyrus
When I change allowplaintext to yes, it works again. I don't want to
allow users to send their passwords in the clear, but I want to
administer cyrus from the command line. Is there a way to do this?
cyradm doesn't support STARTTLS yet, so you'll have to allow a
non-plaintext SASL mech, or run a separate instance of imapd which
listens only on localhost and uses its own imapd.conf.localhost which
allows plaintext.
Thanks, Ken. Not many email clients support STARTTLS on port 143,
either, so I'll continue to restrict my users to port 993 (imaps). I've
edited cyrus.conf to bind port 143 to localhost so I can use PLAIN with
cyradm:
imap cmd="imapd" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
Hopefully cyradm will support STARTTLS when it becomes more popular.
Non-plaintext mechanisms are nice, but I want to encrypt the entire
transfer, not just the password.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
