-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
hi mitu,
1st, THANKS very much for your time ... your comments have been a great guide!
=)
>>>>which, i think, is what i SHOULD be seeing
>
>> yes, this is correct.
gr8!
>>>>strangely, i still do NOT see STARTTLS advertised in TBird's imap session
>>>>protocol log:
[..]
>> That's because the connection is already under the SSL layer, logging
>> was done by cyrus/imaps. Cyrus logs this connection as starttls and adds
>> 'no authentication'
[..]
>> It's perfectly normal.
aha. THAT'S why 'no authentication' is there :-}
>>>>why do i have this sneaking suspicion that TBird's STARTTLS implementation
>>>>is not 100% ... ?
...
>> I forgot about TB's inability to support the 'STARTTLS' command and a
>> quick test at my server showed that.
ok, so i'm NOT losing my mind. (at least not on THIS issue ...)
>> TB (1.5beta2) and voila !
>> This is TLS over the 143 port, which I cannot convince TB 1.0.7 to do.
>> In the new TB build you have as security options
>> [ ] TLS, if available
>> [ ] TLS
>> [ ] SSL.
>> there are the same settings TB has currently (1.0.7) for the SMTP server
>> (which
>> has it's own STMP 'STARTTLS' command and smtps mode just as IMAP has).
excellent.
>> I cannot tell right now if the older Mozilla suite builds have the same
>> options as the recent Seamonkey build has, but since you use TB then it
>> means that for now you'll just use imaps and wait for a new release.
can't move to it yet, as most of the extensions i want aren't yet compatible :-/
but, that's good news on the horizon!
now,
TO SUMMARIZE
... for those likewise interested, here's what i've "landed on", given mitu's
help/clarification
...
my goal state:
server == CyrusIMAP 2.2.12 cvs
TBird v107
TLS connection + encrypted login
cyradm connection to server
ONLY via: SSH TO server
logging in to server's LOCALHOST intfc
under encryption layer
using:
cyradm \
--user my.admin \
--auth DIGEST-MD5 \
--port 143 \
--server localhost
to make this all work (from now, until TBird 1.5b2 is an option for me ...),
since cyradm does NOT apparently have capability to login w/ TLS encryption,
i've split my imap
config in two,
{
#### QUESTION ####
NOTE: it is NOT clear to me, yet, whether sasl_minimum_layer >
129
has any further effect, as all allowed MECHS (plain,
cram, digest)
are already forced to use TLS ...
i.e., is there ANY further difference between, e.g.,
"sasl_minimum_layer: 129" and "sasl_minimum_layer: 256"?
}
====================================================
imapd.conf:
# this is for all IMAP logins to mail server's EXTERNAL intfc
# cyradm to EXTERNAL intfc will NOT work, reporting:
# badlogin: ... DIGEST-MD5 [SASL(-15): mechanism too weak for this
user: mech DIGEST-MD5 is
too weak]
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
allowplaintext: no
sasl_minimum_layer: 129
# if 'sasl_minimum_layer' then CAPABILITY advertises
# -------------------
------------------------------------------------------
# 0 STARTTLS LOGINDISABLED
AUTH=DIGEST-MD5 AUTH=CRAM-MD5
# 1-128 STARTTLS LOGINDISABLED AUTH=DIGEST-MD5
# >=129 STARTTLS LOGINDISABLED
@include: imapd-common.conf
====================================================
====================================================
imapd-local.conf
# this defines/enables cyradm login for LOCALHOST, requiring
# DIGEST-MD5's encryption 'strength'
sasl_minimum_layer: 128
sasl_mech_list: DIGEST-MD5
allowplaintext: no
@include: imapd-common.conf
====================================================
with cyrus.conf config'd as:
...
SERVICES {
imap cmd="imapd -C imapd.conf"
listen="10.0.0.5:imap" prefork=1
imaps cmd="imapd -s -C imapd.conf"
listen="10.0.0.5:imaps" prefork=1
imaplocal cmd="imapd -C imapd-local.conf"
listen="127.0.0.1:imap" prefork=1
...
finally, i've configured TBird v107 as:
================================
Account Settings>(this account)>Server Settings
Server Type: IMAP Mail Server
Server Name: {mail.testdomain.com}
Port: {993} Default: 993
[x] Use secure connection (SSL)
[x] Use secure authentication
>Advanced ...
IMAP server directory: (blank)
[ ] Show only subscribed folders
[X] Server support folders that contain sub-folders and messages
[X] User IDLE command if the server supports it
--------------------------------------
Maximum number of server connections to cache {5}
--------------------------------------
Personal namespace: ""
Public (shared): "Shared/"
Other Users: "Users/"
[X] Allow server to override these namespaces
================================
for now, this gets me up/running & secure. =:-)
thx! again, mitu!
cheers,
richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
iEYEAREDAAYFAkNJhDAACgkQGnqMy4gvZ6FH5QCeM4Wh4sLYgrbKpgHD3F76QjQz
/eUAn2em+f1cbRQfWCL9X37t/3w397Pv
=P8Bi
-----END PGP SIGNATURE-----
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
