On Mon, Jan 10, 2011 at 11:22:51AM -0600, Dan White wrote: > On 10/01/11 23:32 +1100, Bron Gondwana wrote: > >On Mon, Jan 10, 2011 at 07:00:13AM -0500, Adam Tauno Williams wrote: > >>On Sun, 2011-01-09 at 14:40 -0800, Dudi Goldenberg wrote: > >>> >I am using Thunderbird to test with. I want completely disallow logins > >>> >without TLS for IMAP. > >>> Have a look at /etc/cyrus.conf: > >>> > >>> Just hash out imap and restart cyrus. > >> > >>Incorrect. That disables IMAP (TCP/143) and leaves IMAP-over-SSL. > >>Secure IMAP (IMAP w/TLS) still uses TCP/143. IMAP-over-SSL is rather > >>hackish. > > > >What war are you trying to win here? Stopping people using plaintext > >connections, or stopping passwords being potentially exposed to snoopers? > > > >Because "Secure IMAP" on port 143 just means that once the user has sent > >their plaintext password over the wire already, you tell them to get lost > >rather than let them in. It doesn't stop stupid client programs sending > >the plaintext password out in the first place. > > That was addressed in RFC 3501, section 7.2.1 and presumably why the > LOGINDISBLED response was created. > > If there are any imap clients that send over-the-wire cleartext passwords > when server policy forbids it, then that would be grounds for a CVE report > on that client. > > Running IMAP over 143 should be safe from over the wire snooping, if the > server is properly configured. Yeah, that's what's known as "wishful thinking" I suspect. Has anyone actually done any testing on this? > >IMAP-over-SSL does, because no client sends the password over the network > >until it has a TCP connection - and it doesn't get one of them if it tries > >to connect to port 143 and you don't have it turned on. > > > >So what's so hackish about IMAP-over-SSL precisely? > > RFC 2595 discourages it and lists some reasons. Sorry, I don't buy any of those reasons. "The server may be using a low grade cipher" - so layer a better one inside, or don't use such an ancient server. I think that's a past artifact. The "Secure vs Non-Secure" client interface issues is a boat that's sailed sorry. Besides more clients are auto-configuring anyway (see Thunderbird's ability to query a URL to get configuration parameters) - or just probing both ports one-off and selecting the SSL one if available. Port numbers are a limited resource - ok, I'll credit that one - but the fact is that you can't really take them back now. They're in use widely enough that it's not going to change any time soon. Sorry - there's wishful thinking, and there's the reality - and the reality is that enabling just port 993 is safe against poor implementation in the way that hoping everyone checked for "LOGINDISABLED" isn't. Bron. ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
