Kenneth Murchison writes: > >I don't know about imspd, but for imapd run it with '-p 2' (or higher). >Check imapd(8) for details. And here I was reading the source looking for a way, and RTFM would have done it. However, I wouldn't have guessed that from the man page: OPTIONS -p ssf Tell imapd that an external layer exists. An SSF (security strength factor) of 1 means an integrity pro- tection layer exists. Any higher SSF implies some form of privacy protection. Now, my real problem is that I'm using a php-based web client that uses imap-2000a c-client to connect to the Cyrus IMAP (and IMSP) servers. Both run on the same host, so network security is not an issue. C-client is supposed to authenticate with either CRAM-MD5 or LOGIN, but it seems only to use CRAM-MD5. I suspect that this is because the servers don't advertize LOGIN. I'm using the auto_transition feature of SASL to populate the CRAM-MD5 database from plaintext passwords. This means that users can login via the php-based web client until they have done one plaintext login by some other method. The result is mass confusion. I need a way out of this mess without degrading security too much. Any suggestions? -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-