Re: how to enable TLs encryption only ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Olaf Fraczyk wrote:
On Fri, 2007-03-30 at 16:19 +0530, JOYDEEP wrote:

I am a bit confused here. may be I am wrong but imaps is running at port
993 with SSL where imap with TLs is running at port 143.
I need the imap + TLS.  I don't have any imaps entry in my imapd.conf.
So could you all be a little bore verbose :-)
thanks for the help so far.

I mean that if you want to force encryption on users you need to use
imaps.

It's not quite that simple. The documentation is less than clear on this, but the behaviour of the daemon is affected by various settings. For example, (on recent versions of Cyrus IMAP, at least) by enabling TLS:

 tls_key_file: /path/to/key.pem
 tls_cert_file: /path/to/cert.pem

and setting these values:

 sasl_pwcheck_method: auxprop
 sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 allowplaintext: 0
 sasl_minimum_layer: 0

Cyrus IMAP will perform some basic integrity checks appropriate to the mechanism used:

 PLAIN is denied without negotiating STARTTLS first
 LOGIN is denied without negotiating STARTTLS first
 CRAM-MD5 is allowed without negotiating STARTTLS
 DIGEST-MD5 is allowed without negotiating STARTTLS

By enabling plaintext:

 allowplaintext: 1

It is now possible to use LOGIN without STARTTLS, but (on my system) PLAIN still requires STARTTLS. By adjusting sasl_minimum_layer, it is also possible to require encryption for the other mechanisms.

So, yes, it is possible to enforce a variety of security levels on port 143. Getting this to match your local policy requires some tweaking. You may only care that authentication is encrypted, but not the message transfer. In that case, it's only necessary to enforce TLS for PLAIN and LOGIN.

imtest is indispensible for testing your configuration. You can run it through its paces by specifying different mechanisms:

 imtest -u bob -a bob -m PLAIN mail.example.com

and adding TLS negotiation:

 imtest -u bob -a bob -m PLAIN -t "" mail.example.com

The output is verbose and will help you to understand how your server is configured. Remember to logout with:

. logout

If you have imap + TLS it is up to the client to decide if it wants to
upgrade the "clear text" connection to TLS.
Disabling imap disallows connection of clients and sending clear text
passwords on the wire :)
You may consider (not technically 100% accurate):
imaps=imap+TLS_always_on.

Well, this is only true if you've configured imapd to run in SSL wrapper mode with the -s flag (not the same as STARTTLS):

 imaps  cmd="imapd -s" listen="imaps" prefork=0

You can do that on any port, even 143 (not recommended).

It's still a good idea to configure imaps (on port 993), since client support for STARTTLS is still relatively recent. There are a lot of legacy clients that can't negotiate STARTTLS, but can handle imaps (SSL) just fine.


----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux