On 01/11/10 11:27 -0400, Chris Pepper wrote: >On 11/1/10 10:41 AM, Dan White wrote: >>On 31/10/10 20:51 -0400, Chris Pepper wrote: >>>Alternatively, is there a way to make sure Cyrus requires STARTTLS on >>>143? I was blocking external access to it to make sure users always use >>>encryption to connect, but port 143 with STARTTLS required would be an >>>acceptable alternative. >> >>You can set 'allowplaintext: 0' to disallow plaintext logins over port 143. >>That would require clients to perform a STARTTLS, or negotiate a SASL >>security layer which meets your 'sasl_minimum_layer:' setting. > > Excellent, thanks! > >>allowplaintext: 0 > >I am leaving sasl_minimum_layer at default for now. LOGINDISABLED before >STARTTLS is encouraging, but I don't know why "Authentication failed. >generic failure" *after* STARTTLS. On the other hand, with >"allowplaintext: 0" and after restarting cyrus-imapd, I can still get >mail, so I suspect this is exactly what I wanted. After sending the first email, I noticed that you have a sasl_pwcheck_method of saslauthd in your config. You probably also want a 'sasl_mech_list: plain login'. If you're depending on saslauthd to perform your authentication, digest-md5 and cram-md5 should always fail. -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
