Jeff Davis wrote:
I'm in the process of getting a new server up and running and would like
to force users to IMAPS, even if their client may not be configured to
use it.
Can anyone point me in the right direction as to the best way to
accomplish this? Or do I need to suck it up and reconfigure the 1000
clients I already have :(
I expose only IMAPS to the Internet, so users must use port 993 in order
to retrieve mail. I keep a normal IMAP connection available on localhost
for cyradm (I use saslauthd -a shadow for authentication). My cyrus.conf
contains these lines in the SERVICES section:
imap cmd="imapd" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
Even though cyrus supports STARTTLS on port 143, few clients do,
including cyradm. You do have the option of enforcing encrypted logins with:
allowplaintext: no
How this works for you depends on the SASL mechanisms you use.
If you're allowing unencrypted plaintext logins already, you will
probably have to reconfigure clients, no matter what. IMAPS is a good
choice because it encrypts everything, not just the login, and is widely
supported (to the point where clients like Thunderbird automatically
change the port to 993 when the user selects SSL).
Keep in mind that if you use plaintext logins and IMAPS, nothing will
stop the user from repeatedly sending a password in the clear to port
143, whether it's available or not. That's why it's a good reason to
shut it off, so they have to fix the problem in order to read mail.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
