I know this patch has already been applied to Git, but it shouldn't be
necessary, and can probably be backed out. If you want to force
confidentiality, all you need to do is to set sasl_minimum_layer to 2 or
higher. With a value of 2, DIGEST-MD5, GSSAPI, and KERBEROS_V4 will
still be advertised because they all have their own confidentiality
layers (up to 128 bits). If you want to force TLS to be used before any
SASL mechs are advertised, set sasl_minimum_layer to 129 or higher.
On 08/09/2015 06:18 AM, Carlos Velasco wrote:
Hi,
Right now, "allowplaintext" option disallow using a plain authentication if
session is not protected by TLS.
However, this setting still allows a client to make MD5 or SHA1 auth without
session being protected by TLS. This can lead to not data confidentiality when
using not plain auth.
There are several admins now requesting to force TLS for all sessions, and although this
can be done using "allowplaintext" and removing all mechs but Plain, it would
be right to be able to provide another layer of security and use TLS+SHA1 or so...
Attached is a patch with a new imapd.conf option:
forcetlsauth: 0 | 1. Default 0
If enabled all authentications require a TLS session negotiated before.
Patch also "hides" AUTH and other authentication commands that are not allowed
before TLS, in Capabilites commands.
Patched in imapd, pop3d, nntpd, httpd.
This patch does not break cyradm functionality at all, however I attach another patch for
the cyradm perl part to allow "--cafile" option (got tired of certificate
validation warnings) and also fixed a minor bug when requesting capabilities to server
without the callback.
Please, consider committing this to mainstream.
Regards,
Carlos Velasco
--
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University
