On Mon, 15 Oct 2012, Andrew Morgan wrote: > I run a standard Cyrus Murder on v2.4.16. When I have "allowplaintext:0" > on my frontends and "allowplaintext:1" on my backends, the frontends will > not use TLS when proxying the connection to a backend, even if the > frontend connection from the client used TLS or SSL. > > When I set "allowplaintext:0" on the backend, then the frontend will use > TLS for the proxy connection. > > Shouldn't the frontend attempt to use TLS for the proxy connection if > STARTTLS is advertised? Digging through the 2.4.16 source code, I see this in imap/backend.c: /* If we don't have a usable mech, do TLS and try again */ } while (r == SASL_NOMECH && CAPA(s, CAPA_STARTTLS) && do_starttls(s, &prot->tls_cmd) != -1 && So it appears that backend_authenticate will only use TLS if it is required. I'll look into changing my allowplaintext setting to require TLS/SSL. > On a related note, will a frontend ever make an IMAP-SSL proxy connection > to a backend? I ask because I want to set my maxchild parameter correctly > on my backends. Right now, all connections seem to be proxied to the > "imap" service and none are made on the "imaps" service. In my testing, even with allowplaintext:0 on the backend, an IMAP-SSL (port 993) frontend connection uses a IMAP-TLS (port 143 with STARTTLS) backend connection. This is fine. I just needed to know so I can set maxchild correctly on my backends. Andy ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus