Martin Konold wrote:
Am Tuesday 27 March 2007 schrieb Ken Murchison:
Hi Ken,
control both the protocol-specific plaintext login commands (IMAP,
LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS), and the plaintext SASL
mechanisms (PLAIN, LOGIN).
Yes, this is a good idea.
Since sending passwords in the clear sucks, and I would like to think
that most reasonable admins disable this option anyways, would anyone
have a major gripe if we change the allowplaintext option to default to
disabled in the 2.3.9 release?
I think this is absolutly sane and actually what todays administrators expect.
Obviously, we will document this change
prominently in the release notes.
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2922
What about adding an option to limit the plaintext login commands to
IPs/IP-Range? For all useful purposes I can imagine this would be really
helpful.
I don't want to make this one option too complicated. What you propose
can be accomplished by using proper service lines in cyrus.conf. You
can specify a particular hostname/IP in the 'listen' parameter, and you
can either use a special imapd.conf file allowing plaintext, or you can
use the '-p 2' command line option.
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
