Quoting Andrew Morgan <morgan@xxxxxxxx>: > On Sun, 9 Jan 2011, jonr@xxxxxxxxxx wrote: > >> Hello List! >> >> I think maybe I am confused here. I thought 'allowplainwithouttls: O' >> would not allow cleartext passwords but now I am thinking it means >> only the PLAIN mech. >> >> Is that correct? >> >> If that is the case, how do I configure the server to only accept >> PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a >> packet capture on the session I can see the username and password in >> cleartext inside of my capture file. > > allowplaintext: 0 > Allow the use of cleartext passwords on the wire. > > The default changed back in 2.3.something to disallow plaintext > passwords by default. If you want to make sure, set it in > imapd.conf as: > > allowplaintext: 0 > > This will require a SSF > 0, which means either digest > authentication or a protection layer like TLS and SSL. > > When you connect without TLS on the standard imap port, you'll see > the following in the CAPABILITY response: > > S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID > MUPDATE=mupdate://xxx.oregonstate.edu/ STARTTLS LOGINDISABLED > COMPRESS=DEFLATE] xxx.oregonstate.edu Cyrus IMAP Murder v2.3.15 > server ready > > Notice the LOGINDISABLED part. > > After TLS is negotiated, a full CAPABILITY response is returned: > > S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID > MUPDATE=mupdate://xxx.oregonstate.edu/ AUTH=PLAIN SASL-IR ACL > RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT > SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE > CATENATE CONDSTORE SCAN IDLE URLAUTH > > Notice the AUTH=PLAIN part. > > Andy > Perfect, thanks Andy. Jon ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
