To the best of my recollection, the STARTTLS commit was a result of this
"bug" :https://bugzilla.cyrusimap.org/show_bug.cgi?id=2980
I don't know if having STARTTLS advertised on a pre-auth'd connection
was causing issues or just annoyed the guy. If we re-enable it, we
should definitely do some testing to make sure that that it doesn't
break the LMTP client code in used by lmtpproxy.
On 06/14/2016 07:55 PM, ellie timoney via Cyrus-devel wrote:
I use "lmtpd -a" listen on a NIC interface and receive lmtp
request from a remote postfix instance. Now preauth works, but
mail data was transfered without encryption.
Ah, I see what you mean. I didn't know that -a option was there.
I guess the commit your mentioned disabled startssl because the
author think we just need ssl to protect PLAIN Password auth
request..
My guess would be an assumption that no-one would send LMTP traffic
over the internet (that's what SMTP is for). If one expects LMTP
traffic (and especially pre-authed LMTP traffic) to be within a single
server, or at most between servers sitting in nearby racks over a
private network, then this all makes sense.
Ken, do you want to chime in here? The disabling STARTTLS commit
(b93e6be) and the one to add the -a option (a501222) were both yours.
I'm hoping to get a clearer understanding of the intent.
For what it's worth, lmtpd(8) man page says:
-a Preauthorize connections initiated on an internet
socket, instead of requiring LMTP AUTH.
This should only be used for connections coming from
trusted hosts.
Maybe this could be expanded: "from trusted hosts, over trusted networks".
Personally, I think all mail data should be encrypted in internet
transfer.
This kind of sounds like the answer might be "don't use -a when your
listen address is reachable over the internet"...
My own inclination is to re-enable STARTTLS, but I'd like to better
understand why it was disabled before I do so.
On Tue, Jun 14, 2016, at 07:16 PM, qyb wrote:
I use "lmtpd -a" listen on a NIC interface and receive lmtp request
from a remote postfix instance. Now preauth works, but mail data was
transfered without encryption.
I guess the commit your mentioned disabled startssl because the
author think we just need ssl to protect PLAIN Password auth
request.. Personally, I think all mail data should be encrypted in
internet transfer.
On Tue, Jun 14, 2016 at 9:25 AM, ellie timoney via Cyrus-devel
<cyrus-devel@lists.andrew.cmu.edu
<mailto:cyrus-devel@lists.andrew.cmu.edu>> wrote:
On Wed, Jun 1, 2016, at 03:28 AM, qyb via Cyrus-devel wrote:
I noticed that cyrus disable TLS on preauth'd connection.
Authentication info(plain password...) need TLS protection. And
I think that RFC822 text also need TLS.
Can you expand on this a bit?
As far as I understand, connections are only ever preauth'd when
they come in via UNIX-domain sockets, which are inherently
local. What are you trying to protect, and from whom?
For what it's worth, it looks like STARTTLS used to work (at
least to some degree) for preauth'd LMTP, but was explicitly
disabled in 2001 by this commit:
https://cgit.cyrus.foundation/cyrus-imapd/commit/?id=b93e6be5b19362f9e295b40ceb81b702d73de6bb
So I guess you might be able to re-enable it by doing the inverse
of that, though I'm not really seeing the point?
--
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University
