On 11/1/10 10:41 AM, Dan White wrote: > On 31/10/10 20:51 -0400, Chris Pepper wrote: >> Alternatively, is there a way to make sure Cyrus requires STARTTLS on >> 143? I was blocking external access to it to make sure users always use >> encryption to connect, but port 143 with STARTTLS required would be an >> acceptable alternative. > > You can set 'allowplaintext: 0' to disallow plaintext logins over port 143. > That would require clients to perform a STARTTLS, or negotiate a SASL > security layer which meets your 'sasl_minimum_layer:' setting. Excellent, thanks! > allowplaintext: 0 I am leaving sasl_minimum_layer at default for now. LOGINDISABLED before STARTTLS is encouraging, but I don't know why "Authentication failed. generic failure" *after* STARTTLS. On the other hand, with "allowplaintext: 0" and after restarting cyrus-imapd, I can still get mail, so I suspect this is exactly what I wanted. Thanks, Chris > [root@inspector ~]# imtest -u pepper -t "" localhost > S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] mail.reppep.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready > C: C01 CAPABILITY > S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH > S: C01 OK Completed > C: S01 STARTTLS > S: S01 OK Begin TLS negotiation now > verify error:num=19:self signed certificate in certificate chain > TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) > C: C01 CAPABILITY > S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=LOGIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH > S: C01 OK Completed > Please enter your password: > C: A01 AUTHENTICATE PLAIN **** > S: A01 NO authentication failure > Authentication failed. generic failure > Security strength factor: 256 -- Chris Pepper: <http://cbio.mskcc.org/> <http://www.extrapepperoni.com/> ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
