On Wed, June 22, 2016 6:02 pm, Dan White wrote: > On 06/22/16 17:28 +0200, Eric Luyten via Info-cyrus wrote: > >> All, >> >> >> >> After trying for a couple of days I have come to the conclusion >> that the Office 365 IMAP import tool uses the LOGIN authentication mech while >> Cyrus requires PLAIN or stronger for proxying to work. >> >> >> Even when only announcing AUTH=PLAIN in our server capabilities, >> Microsoft executes LOGIN ... ... >> >> >> (violation of RFC3501 section 6.1.1 ? >> dunno whether I am reading that correctly) >> >> >> Is my conclusion correct ? >> Any hacks or workarounds ? >> > > To enable SASL LOGIN support, add 'LOGIN' to your sasl_mech_list. Don't > confuse login with pre-sasl user/pass authentication. > > If Office 365 isn't performing TLS, you'll need to configure > sasl_minimum_layer and allowplaintext appropriately. > Dan, Thank you for your reply. By restricting the sasl_mech_list in imapd.conf I can make our server announce only AUTH=PLAIN in its capabilities string but the client insists on (and succeeds in) authenticating using AUTH=LOGIN, thus rendering proxying impossible. There is a mech_list setting in saslauthd.conf which currently reads 'mech_list: login plain ldap' but this applies server wide and so I am a bit reluctant playing with it. The Office365 IMAP import client uses TLS, I have requested to deselect that option to see whether it then switches to using the stronger mech AUTH=PLAIN >From the docs I understand it's SASL deciding whether or not to allow proxying through the Mechanism Properties/Features, not Cyrus. All help appreciated, Eric Luyten, Computing Centre VUB/ULB. ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
