- Previous message: Jorey Bump: "Re: More success with TLS; problem with STARTTLS"
- Maybe in reply to: JOYDEEP: "Re: how to enable TLs encryption only ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Jorey Bump (no email)
Date: Mon Apr 02 2007 - 09:40:02 EDT
JOYDEEP wrote:
> thanks a lot for so in depth discussion. I have already enabled SSL
> encryption :-) as I have come to know from some documentation that
> the STARTTLS is stillnot very standard and the client side support for
> it is not become standard too.
Actually, it's very standardized and widely supported by nearly all new
versions of client software. You only need to consider alternatives for
existing legacy clients and perhaps newer buggy ones.
> and now I am going for the secured authentication.
> I may be permitted to give here the main.cf so that you can suggest the
> necessary tweaking I need.
For the most part, this looks good.
> -------------------------------------------------------------------------------------------------
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> sievedir: /var/lib/sieve
>
> admins: cyrus
> allowplaintext: yes
This is fine, as long as you've considered the risk and educated your
users to use the most secure approach available. It's quite trivial to
decode LOGIN authentication, if it can be sniffed on the wire.
> sasl_mech_list: LOGIN PLAIN
Consider supporting CRAM-MD5 and DIGEST-MD5 (see below).
> allowanonymouslogin: no
> autocreatequota: 10000
> reject8bit: no
> quotawarn: 90
> timeout: 30
> poptimeout: 10
> dracinterval: 0
> drachost: localhost
Are you actually using drac? It's hard to make a case for
POP-before-SMTP, these days. I'd disable it in favor of per-user
authentication.
> sasl_pwcheck_method: saslauthd
Consider switching to auxprop so you can support CRAM-MD5 and
DIGEST-MD5. Administering sasldb2 is no harder than maintaining local
system users, but I feel it narrows the risk. There are two sides to
this argument, so do some research before you make your decision.
> #auxprop saslauthd
> #sasl_auxprop_plugin: sasldb2
> servername:linux.kolkatainfoservices.in
>
> lmtp_overquota_perm_failure: no
> lmtp_downcase_rcpt: yes
> #
> # if you want TLS, you have to generate certificates and keys
> #
> tls_cert_file: /etc/openldap/myca/servercert.pem
> tls_key_file: /etc/openldap/myca/serverkey.pem
> tls_ca_file: /etc/openldap/myca/cacert.pem
> tls_ca_path: /etc/openldap/myca/
> tls_require_cert: no
> tlscache_db: berkeley
>
> unixhierarchysep: yes
Do you need to support dots in usernames or mailboxes? This is purely a
matter of choice, but not all systems support usernames with dots, so it
may affect future migrations to other IMAP servers. I prefer to have
logins without dots, but allow dots in the local part of aliases. Of
course, if you have existing accounts that already contain dots, you'll
probably need this for migration.
> virtdomains: yes
>
> defaultdomain: kolkatainfoservices.in
> loginrealms: kolkatainfoservices.in
>
> hashimapspool: true
> lmtpsocket: /var/lib/imap/socket/lmtp
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|