On 11/1/10 10:41 AM, Dan White wrote:
> On 31/10/10 20:51 -0400, Chris Pepper wrote:
>> Alternatively, is there a way to make sure Cyrus requires STARTTLS on
>> 143? I was blocking external access to it to make sure users always use
>> encryption to connect, but port 143 with STARTTLS required would be an
>> acceptable alternative.
>
> You can set 'allowplaintext: 0' to disallow plaintext logins over port 143.
> That would require clients to perform a STARTTLS, or negotiate a SASL
> security layer which meets your 'sasl_minimum_layer:' setting.

        Excellent, thanks!

> allowplaintext: 0

        I am leaving sasl_minimum_layer at default for now. LOGINDISABLED 
before STARTTLS is encouraging, but I don't know why "Authentication failed. 
generic failure" *after* STARTTLS. On the other hand, with "allowplaintext: 0" 
and after restarting cyrus-imapd, I can still get mail, so I suspect this is 
exactly what I wanted.

Thanks,

Chris

> [r...@inspector ~]# imtest -u pepper -t "" localhost
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED 
> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] mail.reppep.com Cyrus IMAP4 
> v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED 
> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
> NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
> SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE 
> CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
> S: C01 OK Completed
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 
> AUTH=CRAM-MD5 AUTH=LOGIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
> NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
> SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE 
> CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
> S: C01 OK Completed
> Please enter your password:
> C: A01 AUTHENTICATE PLAIN ****
> S: A01 NO authentication failure
> Authentication failed. generic failure
> Security strength factor: 256

-- 
Chris Pepper:                <http://cbio.mskcc.org/>
                              <http://www.extrapepperoni.com/>

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

Reply via email to