Jorey Bump wrote: > Olaf Fraczyk wrote: >> On Fri, 2007-03-30 at 16:19 +0530, JOYDEEP wrote: >>> >>> I am a bit confused here. may be I am wrong but imaps is running at >>> port >>> 993 with SSL where imap with TLs is running at port 143. >>> I need the imap + TLS. I don't have any imaps entry in my imapd.conf. >>> So could you all be a little bore verbose :-) >>> thanks for the help so far. >>> >> I mean that if you want to force encryption on users you need to use >> imaps. > > It's not quite that simple. The documentation is less than clear on > this, but the behaviour of the daemon is affected by various settings. > For example, (on recent versions of Cyrus IMAP, at least) by enabling > TLS: > > tls_key_file: /path/to/key.pem > tls_cert_file: /path/to/cert.pem > > and setting these values: > > sasl_pwcheck_method: auxprop > sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 > allowplaintext: 0 > sasl_minimum_layer: 0 > > Cyrus IMAP will perform some basic integrity checks appropriate to the > mechanism used: > > PLAIN is denied without negotiating STARTTLS first > LOGIN is denied without negotiating STARTTLS first > CRAM-MD5 is allowed without negotiating STARTTLS > DIGEST-MD5 is allowed without negotiating STARTTLS > > By enabling plaintext: > > allowplaintext: 1 > > It is now possible to use LOGIN without STARTTLS, but (on my system) > PLAIN still requires STARTTLS. By adjusting sasl_minimum_layer, it is > also possible to require encryption for the other mechanisms. > > So, yes, it is possible to enforce a variety of security levels on > port 143. Getting this to match your local policy requires some > tweaking. You may only care that authentication is encrypted, but not > the message transfer. In that case, it's only necessary to enforce TLS > for PLAIN and LOGIN. > > imtest is indispensible for testing your configuration. You can run it > through its paces by specifying different mechanisms: > > imtest -u bob -a bob -m PLAIN mail.example.com > > and adding TLS negotiation: > > imtest -u bob -a bob -m PLAIN -t "" mail.example.com > > The output is verbose and will help you to understand how your server > is configured. Remember to logout with: > > . logout > >> If you have imap + TLS it is up to the client to decide if it wants to >> upgrade the "clear text" connection to TLS. >> Disabling imap disallows connection of clients and sending clear text >> passwords on the wire :) >> You may consider (not technically 100% accurate): >> imaps=imap+TLS_always_on. > > Well, this is only true if you've configured imapd to run in SSL > wrapper mode with the -s flag (not the same as STARTTLS): > > imaps cmd="imapd -s" listen="imaps" prefork=0 > > You can do that on any port, even 143 (not recommended). > > It's still a good idea to configure imaps (on port 993), since client > support for STARTTLS is still relatively recent. There are a lot of > legacy clients that can't negotiate STARTTLS, but can handle imaps > (SSL) just fine. > > > Dear Jorey and all the responders, thanks a lot for so in depth discussion. I have already enabled SSL encryption :-) as I have come to know from some documentation that the STARTTLS is stillnot very standard and the client side support for it is not become standard too. and now I am going for the secured authentication. I may be permitted to give here the main.cf so that you can suggest the necessary tweaking I need. ------------------------------------------------------------------------------------------------- configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes sasl_mech_list: LOGIN PLAIN allowanonymouslogin: no autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd #auxprop saslauthd #sasl_auxprop_plugin: sasldb2 servername:linux.kolkatainfoservices.in lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/openldap/myca/servercert.pem tls_key_file: /etc/openldap/myca/serverkey.pem tls_ca_file: /etc/openldap/myca/cacert.pem tls_ca_path: /etc/openldap/myca/ tls_require_cert: no tlscache_db: berkeley unixhierarchysep: yes virtdomains: yes defaultdomain: kolkatainfoservices.in loginrealms: kolkatainfoservices.in hashimapspool: true lmtpsocket: /var/lib/imap/socket/lmtp ------------------------------------------------------------ thanks to all of you ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
