Rosenbaum, Larry M. wrote:
Is there a way to get cyradm to use TLS (or STARTTLS) when connecting to
the server? We are planning to authenticate with /etc/shadow using
saslauthd, and use TLS to avoid putting plaintext passwords on the wire.
However, I have found out that specifying
allowplaintext: 0
prevents us from using cyradm.
Apparently cyradm does not have STARTTLS support, yet, so you can do
this in cyrus.conf to ensure that no plaintext service is exposed to the
Internet:
imap cmd="imapd" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
# pop3 cmd="pop3d" listen="localhost:pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
Granted, you sacrifice STARTTLS on ports 110 & 143, but not many clients
seem to support it anyway, and this arrangement will help to prevent
accidental transmission of plaintext passwords.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
