On 31/03/10 22:05 -0400, Mikhail T. wrote:
The default configuration for the Cyrus IMAP server does not allow clear
text mechs (plain/login) to be used without some other form of network
protection in place, like TLS.
This is a bug -- the default configuration leaves cyradm unusable. At
the very least, running cyradm on localhost should not be a problem,
because encrypting traffic via lo0 is kinda stupid.
This behavior probably stems from the following requirement in RFC 3501:
Note: a server implementation MUST implement a
configuration in which it does NOT permit any plaintext
password mechanisms, unless either the STARTTLS command
has been negotiated or some other mechanism that
protects the session from password snooping has been
provided. Server sites SHOULD NOT use any configuration
which permits a plaintext password mechanism without
such a protection mechanism against password snooping.
Client and server implementations SHOULD implement
additional [SASL] mechanisms that do not use plaintext
passwords, such the GSSAPI mechanism described in [SASL]
and/or the [DIGEST-MD5] mechanism.
In a default configuration, you could authenticate via a mechanism like
DIGEST-MD5 which provides a security layer, and does not require any change
to imapd.conf. However, that is not possible with saslauthd.
In a situation where you have a trusted network connection, such as with
lo0, you can tell imapd to assume that it's trusted. In cyrus.conf, you
can add a '-p' parameter, such as:
imap cmd="localhost:imapd -U 30 -p 256 -D" listen="imap" prefork=0
maxchild=100
which would allow you to use plaintext mechanisms under cover of a secure
channel.
--
Dan White
