Re: Disallow cleartext on the wire

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 9 Jan 2011, jonr@xxxxxxxxxx wrote:

> Hello List!
>
> I am going mad, mad as in crazy.
>
> CentOS 5.5
>
> Sendmail 8.13.8/8.13.8
>
> cyrus-imapd.x86_64        -2.3.7-7.el5_4.3
> cyrus-imapd-devel.x86_64  -2.3.7-7.el5_4.3
> cyrus-imapd-perl.x86_64   -2.3.7-7.el5_4.3
> cyrus-imapd-utils.x86_64  -2.3.7-7.el5_4.3
>
> cyrus-sasl.x86_64         -2.1.22-5.el5_4.3
> cyrus-sasl-devel.x86_64   -2.1.22-5.el5_4.3
>
> cyrus-sasl-gssapi.x86_64  -2.1.22-5.el5_4.3
> cyrus-sasl-lib.x86_64     -2.1.22-5.el5_4.3
> cyrus-sasl-md5.x86_64     -2.1.22-5.el5_4.3
> cyrus-sasl-plain.x86_64   -2.1.22-5.el5_4.3
>
>
> I am using Thunderbird to test with. I want completely disallow logins
> without TLS for IMAP.
>
> This is my /etc/imapd.conf
>
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd auxprop
>
>
> sasl_mech_list: LOGIN PLAIN
> allowplainwithouttls: 0
> allowanonymouslogins: 0
> virtdomains: userid
> tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
>
>
> I think maybe I am confused here. I thought 'allowplainwithouttls: O'
> would not allow cleartext passwords but now I am thinking it means
> only the PLAIN mech.
>
> Is that correct?
>
> If that is the case, how do I configure the server to only accept
> PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a
> packet capture on the session I can see the username and password in
> cleartext inside of my capture file.

        allowplaintext: 0
             Allow the use of cleartext passwords on the wire.

The default changed back in 2.3.something to disallow plaintext passwords 
by default.  If you want to make sure, set it in imapd.conf as:

   allowplaintext: 0

This will require a SSF > 0, which means either digest authentication or a 
protection layer like TLS and SSL.

When you connect without TLS on the standard imap port, you'll see the 
following in the CAPABILITY response:

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://xxx.oregonstate.edu/ STARTTLS LOGINDISABLED 
COMPRESS=DEFLATE] xxx.oregonstate.edu Cyrus IMAP Murder 
v2.3.15 server ready

Notice the LOGINDISABLED part.

After TLS is negotiated, a full CAPABILITY response is returned:

S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://xxx.oregonstate.edu/ AUTH=PLAIN SASL-IR ACL 
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE 
SCAN IDLE URLAUTH

Notice the AUTH=PLAIN part.

 	Andy
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux