Olaf Fraczyk wrote:
On Fri, 2007-03-30 at 16:19 +0530, JOYDEEP wrote:
I am a bit confused here. may be I am wrong but imaps is running at port
993 with SSL where imap with TLs is running at port 143.
I need the imap + TLS. I don't have any imaps entry in my imapd.conf.
So could you all be a little bore verbose :-)
thanks for the help so far.
I mean that if you want to force encryption on users you need to use
imaps.
It's not quite that simple. The documentation is less than clear on
this, but the behaviour of the daemon is affected by various settings.
For example, (on recent versions of Cyrus IMAP, at least) by enabling TLS:
tls_key_file: /path/to/key.pem
tls_cert_file: /path/to/cert.pem
and setting these values:
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
allowplaintext: 0
sasl_minimum_layer: 0
Cyrus IMAP will perform some basic integrity checks appropriate to the
mechanism used:
PLAIN is denied without negotiating STARTTLS first
LOGIN is denied without negotiating STARTTLS first
CRAM-MD5 is allowed without negotiating STARTTLS
DIGEST-MD5 is allowed without negotiating STARTTLS
By enabling plaintext:
allowplaintext: 1
It is now possible to use LOGIN without STARTTLS, but (on my system)
PLAIN still requires STARTTLS. By adjusting sasl_minimum_layer, it is
also possible to require encryption for the other mechanisms.
So, yes, it is possible to enforce a variety of security levels on port
143. Getting this to match your local policy requires some tweaking. You
may only care that authentication is encrypted, but not the message
transfer. In that case, it's only necessary to enforce TLS for PLAIN and
LOGIN.
imtest is indispensible for testing your configuration. You can run it
through its paces by specifying different mechanisms:
imtest -u bob -a bob -m PLAIN mail.example.com
and adding TLS negotiation:
imtest -u bob -a bob -m PLAIN -t "" mail.example.com
The output is verbose and will help you to understand how your server is
configured. Remember to logout with:
. logout
If you have imap + TLS it is up to the client to decide if it wants to
upgrade the "clear text" connection to TLS.
Disabling imap disallows connection of clients and sending clear text
passwords on the wire :)
You may consider (not technically 100% accurate):
imaps=imap+TLS_always_on.
Well, this is only true if you've configured imapd to run in SSL wrapper
mode with the -s flag (not the same as STARTTLS):
imaps cmd="imapd -s" listen="imaps" prefork=0
You can do that on any port, even 143 (not recommended).
It's still a good idea to configure imaps (on port 993), since client
support for STARTTLS is still relatively recent. There are a lot of
legacy clients that can't negotiate STARTTLS, but can handle imaps (SSL)
just fine.
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
