On Sun, Aug 9, 2015, at 20:18, Carlos Velasco wrote: > Hi, > > Right now, "allowplaintext" option disallow using a plain authentication if > session is not protected by TLS. > However, this setting still allows a client to make MD5 or SHA1 auth without > session being protected by TLS. This can lead to not data confidentiality > when using not plain auth. > There are several admins now requesting to force TLS for all sessions, and > although this can be done using "allowplaintext" and removing all mechs but > Plain, it would be right to be able to provide another layer of security and > use TLS+SHA1 or so... > > Attached is a patch with a new imapd.conf option: > forcetlsauth: 0 | 1. Default 0 > If enabled all authentications require a TLS session negotiated before.
I'm happy with that. We go a step further at FastMail and require SSL always (port 993). See arguments here: > Patch also "hides" AUTH and other authentication commands that are not > allowed before TLS, in Capabilites commands. > Patched in imapd, pop3d, nntpd, httpd. > > This patch does not break cyradm functionality at all, however I attach > another patch for the cyradm perl part to allow "--cafile" option (got tired > of certificate validation warnings) and also fixed a minor bug when > requesting capabilities to server without the callback. > > Please, consider committing this to mainstream. > > Regards, > Carlos Velasco > > Email had 2 attachments: > + cyrus-imapd-2.5.4-forcetlsauth.patch > 7k (text/x-patch) > + cyrus-imapd-2.5.4-cyradmtls1.patch > 2k (text/x-patch) -- Bron Gondwana br...@fastmail.fm
