Quoting "Kevin P. Fleming" <[EMAIL PROTECTED]>:
Edward Rudd wrote:
This is really a Cyrus-SASL topic. as Cyrus IMAP doesn't really care how the user gets authenticated, only that the SASL layer authenticates the users. So client certificate authentication would have to be added as a SASL authentication module.
It's never been clear to me where IMAP stops and SASL starts as it relates to this... but it's my impression that Cyrus SASL has nothing at all to do with SSL/TLS, and only handles the authentication details after Cyrus IMAP has collected them.
SSL/TLS starts before authentication: you can see in logs the SARTTLS command before authentication:
cyrus/imapd[15511]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no
authentication
cyrus/imapd[15511]: login: localhost[127.0.0.1] pascal plaintext+TLS
The "no authentication" at the end of the first line is due to client certicats
are not allowed with webmail (c-client library doesn't support it)
But the connection has well been crypted like passwd and login.
Therefore, Cyrus collects login and passwd after TLS started.
Using TLS bitween postsfix and Horde will produce these logs:
postfix/smtpd[15609]: starting TLS engine <== TLS starts postfix/smtpd[15609]: match_string: fast_flush_domains ~? debug_peer_list postfix/smtpd[15609]: match_string: fast_flush_domains ~? fast_flush_domains postfix/smtpd[15609]: watchdog_create: 0x80911c8 18000 postfix/smtpd[15609]: watchdog_stop: 0x80911c8 postfix/smtpd[15609]: watchdog_start: 0x80911c8 postfix/smtpd[15609]: connection established <== Crypted connection is OK [...] postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 220 euphorie.linuxorable.net ESMTP Postfix (Debian/GNU) postfix/smtpd[15609]: watchdog_pat: 0x80911c8 postfix/smtpd[15609]: < camomile.cloud9.net[168.100.1.3]: EHLO camomile.cloud9.net postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-euphorie.linuxorable.net postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-PIPELINING postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-SIZE 20480000 postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-ETRN postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-STARTTLS postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-AUTH NTLM DIGEST-MD5 CRAM-MD5
You can see that TLS starts before the authentication commands begin (last 9 lines)
TLS crypts the connection in order the login and passwd (which represents the
authentication) are crypted too.
The mail will be crypted too until is posted to the mailbox where it is no more
crypted.
If this can help you...
Pascal
I guess that means that what I want to do will actually require changes in both Cyrus IMAP and SASL... time for more research :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html