Jorey Bump wrote:
Apparently cyradm does not have STARTTLS support, yet, so you can do
this in cyrus.conf to ensure that no plaintext service is exposed to the
Internet:
imap cmd="imapd" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
# pop3 cmd="pop3d" listen="localhost:pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
Granted, you sacrifice STARTTLS on ports 110 & 143, but not many clients
seem to support it anyway, and this arrangement will help to prevent
accidental transmission of plaintext passwords.
I should also point out that this will restrict the use of cyradm to the
localhost. While I assume this is normally the case, cyradm does have
the ability to connect to other hosts (much like the mysql client). If
this is important to you, you will need to investigate other
authentication mechanisms, use a packet filter to control access to the
unencrypted port (still risky, depending on the location of the client),
or offer some code that allows cyradm to use STARTTLS.
As Nikola pointed out, another option is to use an SSL (or SSH) tunnel.
These always feel kludgy to me, though, and usually indicate the need
for a better solution.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
