On Sun, Aug 9, 2015, at 20:18, Carlos Velasco wrote: > Hi, > > Right now, "allowplaintext" option disallow using a plain authentication if > session is not protected by TLS. > However, this setting still allows a client to make MD5 or SHA1 auth without > session being protected by TLS. This can lead to not data confidentiality > when using not plain auth. > There are several admins now requesting to force TLS for all sessions, and > although this can be done using "allowplaintext" and removing all mechs but > Plain, it would be right to be able to provide another layer of security and > use TLS+SHA1 or so... > > Attached is a patch with a new imapd.conf option: > forcetlsauth: 0 | 1. Default 0 > If enabled all authentications require a TLS session negotiated before.
I'm happy with that. We go a step further at FastMail and require SSL always (port 993). See arguments here: (sorry about the previous post - my laptop's horrible mouse/touchpad thing is finicky, and clicked the button for me as I switched windows to grab the link) https://www.fastmail.com/help/technical/ssltlsstarttls.html > Patch also "hides" AUTH and other authentication commands that are not > allowed before TLS, in Capabilites commands. > Patched in imapd, pop3d, nntpd, httpd. Good plan. > This patch does not break cyradm functionality at all, however I attach > another patch for the cyradm perl part to allow "--cafile" option (got tired > of certificate validation warnings) and also fixed a minor bug when > requesting capabilities to server without the callback. Sounds good to me. Leena - any comments as the expert on cyradm these days? :) > Please, consider committing this to mainstream. I'll have a read through - but I have no objection in principle to these patches. Thanks for submitting them! Cheers, Bron. -- Bron Gondwana br...@fastmail.fm
