Kevin wrote:
Hi Folks-
I'm using Cyrus IMAPd v2.2.12.
I'd like to allow clients to authenticate using the plaintext mechanism,
but only if those connections are secured with TLS. Is there a way to
do so?
I have the following settings in imapd.conf:
sasl_minimum_layer: 56
allowplaintext: yes
But I can still connect to the server with unencrypted connections and
do plaintext authentication.
According to man imapd.conf:
sasl_minimum_layer: 0
The minimum SSF that the server will allow a client to negotiate. A
value of 1 requires integrity protection; any higher value requires
some amount of encryption.
Before using the sasl_minimum_layer parameter at all, the server was
allowing plaintext logins that were encrypted with TLS and those that
were not. I figured that by setting this parameter to 2, I would
accomplish my goal of allowing plaintext logins but only if encrypted
with TLS and denying unencrypted plaintext logins. When the setting of
2 failed, I tried 56, but it too allows unencrypted plaintext
authentication.
Is this a bug or am I missing something?
What you want is:
allowplaintext: no
--
Kenneth Murchison
Systems Programmer
Carnegie Mellon University
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html