Re: how to enable TLs encryption only ?

From: Jorey Bump (no email)
Date: Fri Mar 30 2007 - 09:42:00 EDT

  • Next message: lartc: "Re: how to enable TLs encryption only ?"

    Olaf Fraczyk wrote:
    > On Fri, 2007-03-30 at 16:19 +0530, JOYDEEP wrote:
    >> I am a bit confused here. may be I am wrong but imaps is running at port
    >> 993 with SSL where imap with TLs is running at port 143.
    >> I need the imap + TLS. I don't have any imaps entry in my imapd.conf.
    >> So could you all be a little bore verbose :-)
    >> thanks for the help so far.
    > I mean that if you want to force encryption on users you need to use
    > imaps.

    It's not quite that simple. The documentation is less than clear on
    this, but the behaviour of the daemon is affected by various settings.
    For example, (on recent versions of Cyrus IMAP, at least) by enabling TLS:

      tls_key_file: /path/to/key.pem
      tls_cert_file: /path/to/cert.pem

    and setting these values:

      sasl_pwcheck_method: auxprop
      sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
      allowplaintext: 0
      sasl_minimum_layer: 0

    Cyrus IMAP will perform some basic integrity checks appropriate to the
    mechanism used:

      PLAIN is denied without negotiating STARTTLS first
      LOGIN is denied without negotiating STARTTLS first
      CRAM-MD5 is allowed without negotiating STARTTLS
      DIGEST-MD5 is allowed without negotiating STARTTLS

    By enabling plaintext:

      allowplaintext: 1

    It is now possible to use LOGIN without STARTTLS, but (on my system)
    PLAIN still requires STARTTLS. By adjusting sasl_minimum_layer, it is
    also possible to require encryption for the other mechanisms.

    So, yes, it is possible to enforce a variety of security levels on port
    143. Getting this to match your local policy requires some tweaking. You
    may only care that authentication is encrypted, but not the message
    transfer. In that case, it's only necessary to enforce TLS for PLAIN and

    imtest is indispensible for testing your configuration. You can run it
    through its paces by specifying different mechanisms:

      imtest -u bob -a bob -m PLAIN

    and adding TLS negotiation:

      imtest -u bob -a bob -m PLAIN -t ""

    The output is verbose and will help you to understand how your server is
    configured. Remember to logout with:

    . logout

    > If you have imap + TLS it is up to the client to decide if it wants to
    > upgrade the "clear text" connection to TLS.
    > Disabling imap disallows connection of clients and sending clear text
    > passwords on the wire :)
    > You may consider (not technically 100% accurate):
    > imaps=imap+TLS_always_on.

    Well, this is only true if you've configured imapd to run in SSL wrapper
    mode with the -s flag (not the same as STARTTLS):

      imaps cmd="imapd -s" listen="imaps" prefork=0

    You can do that on any port, even 143 (not recommended).

    It's still a good idea to configure imaps (on port 993), since client
    support for STARTTLS is still relatively recent. There are a lot of
    legacy clients that can't negotiate STARTTLS, but can handle imaps (SSL)
    just fine.

    Cyrus Home Page:
    Cyrus Wiki/FAQ:
    List Archives/Info:

  • Next message: lartc: "Re: how to enable TLs encryption only ?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD