On Mon, 9 Sep 2002, Max Okumoto wrote: > Our current goal is to migrate everyone to imapd/ipop3d over ssl. We > are going to let them use plaintext passwds inside of the ssl tunnel.
SSL tunnel? You're not going to use imapd's native SSL support (which also includes TLS support)? If you use imapd's native SSL support, then you can add a routine to file imap-????/src/osdep/unix/sslstdio.c that returns whether or not SSL or TLS is in effect, something like int check_if_session_encrypted (void) { return sslstdio ? T : NIL; } Next, in imapd.c, you might want to modify the successful authentication syslogs. Do something like: Change: syslog (LOG_INFO,"Authenticated user=%.80s host=%.80s", user,tcp_clienthost ()); to: syslog (LOG_INFO,"Authenticated %s SSL=%s user=%.80s host=%.80s", s,check_if_session_encrypted () ? "yes" : "no", user,tcp_clienthost ()); and change: syslog (LOG_INFO,"Login SSL=%s user=%.80s host=%.80s", check_if_sessions_encrypted () ? "yes" : "no", user,tcp_clienthost ()); Now, what you want to look for is "SSL=no". "SSL=yes" is for both TLS and SSL connections. If you use a non-plaintext authentication mechanism (such as GSSAPI or CRAM-MD5), you will want to filter those out from the log, e.g. grep SSL=no syslog | grep -v CRAM-MD5 > The final goal is to only support imapd over ssl. You should continue to allow port 143 sessions, since TLS uses port 143 with the STARTTLS command. Port 993 (SSL) is obsolete. To disable plaintext passwords when the session is not encrypted (but allow passwords when the session is encrypted), build the IMAP toolkit with the option SSLTYPE=nopwd -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. "A single glass of champagne imparts a feeling of exhiliaration. The nerves are braced; the imagination is agreeably strirred; the wits become more nimble. A bottle produces a contrary effect. Excess causes a comatose insensibility. So it is with war; and the quality of both is best discovered by sipping." -- Winston Churchill