I don't recall where these patches originally came from (collected from past postings I'm told). Once patched, cyradm takes the password as (-w secret) on the command line, so you probably don't want to run it on a public machine.
The patch also make changes to seiveshell, the Cyrus/IMAP perl libraries and imclient.c
cyrus-starttls.patch
Description: Binary data
-Patrick On Jan 10, 2006, at 9:13 AM, Jorey Bump wrote:
Jorey Bump wrote:Apparently cyradm does not have STARTTLS support, yet, so you can do this in cyrus.conf to ensure that no plaintext service is exposed to the Internet:imap cmd="imapd" listen="localhost:imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 # pop3 cmd="pop3d" listen="localhost:pop3" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" prefork=0Granted, you sacrifice STARTTLS on ports 110 & 143, but not many clients seem to support it anyway, and this arrangement will help to prevent accidental transmission of plaintext passwords.I should also point out that this will restrict the use of cyradm to the localhost. While I assume this is normally the case, cyradm does have the ability to connect to other hosts (much like the mysql client). If this is important to you, you will need to investigate other authentication mechanisms, use a packet filter to control access to the unencrypted port (still risky, depending on the location of the client), or offer some code that allows cyradm to use STARTTLS.As Nikola pointed out, another option is to use an SSL (or SSH) tunnel. These always feel kludgy to me, though, and usually indicate the need for a better solution.---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
