gmane.mail.imap.cyrus

Rosenbaum, Larry M. | 9 Jan 22:05

TLS support in cyradm?

Is there a way to get cyradm to use TLS (or STARTTLS) when connecting to
the server?  We are planning to authenticate with /etc/shadow using
saslauthd, and use TLS to avoid putting plaintext passwords on the wire.
However, I have found out that specifying

allowplaintext: 0

prevents us from using cyradm.

Larry R.

----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Nikola Milutinovic | 10 Jan 07:44

Re: TLS support in cyradm?

Rosenbaum, Larry M. wrote:

>Is there a way to get cyradm to use TLS (or STARTTLS) when connecting to
>the server?  We are planning to authenticate with /etc/shadow using
>saslauthd, and use TLS to avoid putting plaintext passwords on the wire.
>However, I have found out that specifying
>
>allowplaintext: 0
>
>prevents us from using cyradm.
>  
>

First of all, I'm not aware of TLS support in Cyrus, only SSL. I could 
be wrong, though.

You can use some of the SSL tunnels, I believe that "openssl" command 
offers such a tunnel, see man pages.

On the other hand, you can surely use DIGEST-MD5 mechanism, but then you 
must store user/pass in SASL-DB.

Nix.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Ken Murchison | 10 Jan 14:07

Re: TLS support in cyradm?

Nikola Milutinovic wrote:
> Rosenbaum, Larry M. wrote:
> 
>> Is there a way to get cyradm to use TLS (or STARTTLS) when connecting to
>> the server?  We are planning to authenticate with /etc/shadow using
>> saslauthd, and use TLS to avoid putting plaintext passwords on the wire.
>> However, I have found out that specifying
>>
>> allowplaintext: 0
>>
>> prevents us from using cyradm.
>>  
>>
> 
> First of all, I'm not aware of TLS support in Cyrus, only SSL. I could 
> be wrong, though.

It certainly does support TLS.  In fact support for STARTTLS and the TLS 
  v1 cipher suites was added first (because it is standards track) and 
support for SSL v2/v3 and SSL wrapped services was added later to 
support legacy clients.

--

-- 
Kenneth Murchison
Project Cyrus Developer/Maintainer
Carnegie Mellon University
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

(Continue reading)

Jorey Bump | 9 Jan 22:45

Re: TLS support in cyradm?

Rosenbaum, Larry M. wrote:
> Is there a way to get cyradm to use TLS (or STARTTLS) when connecting to
> the server?  We are planning to authenticate with /etc/shadow using
> saslauthd, and use TLS to avoid putting plaintext passwords on the wire.
> However, I have found out that specifying
> 
> allowplaintext: 0
> 
> prevents us from using cyradm.

Apparently cyradm does not have STARTTLS support, yet, so you can do 
this in cyrus.conf to ensure that no plaintext service is exposed to the 
Internet:

   imap          cmd="imapd" listen="localhost:imap" prefork=0
   imaps         cmd="imapd -s" listen="imaps" prefork=0
   # pop3                cmd="pop3d" listen="localhost:pop3" prefork=0
   pop3s         cmd="pop3d -s" listen="pop3s" prefork=0

Granted, you sacrifice STARTTLS on ports 110 & 143, but not many clients 
seem to support it anyway, and this arrangement will help to prevent 
accidental transmission of plaintext passwords.

----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Jorey Bump | 10 Jan 15:13

Re: TLS support in cyradm?

Jorey Bump wrote:

> Apparently cyradm does not have STARTTLS support, yet, so you can do 
> this in cyrus.conf to ensure that no plaintext service is exposed to the 
> Internet:
> 
>   imap          cmd="imapd" listen="localhost:imap" prefork=0
>   imaps         cmd="imapd -s" listen="imaps" prefork=0
>   # pop3                cmd="pop3d" listen="localhost:pop3" prefork=0
>   pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
> 
> Granted, you sacrifice STARTTLS on ports 110 & 143, but not many clients 
> seem to support it anyway, and this arrangement will help to prevent 
> accidental transmission of plaintext passwords.

I should also point out that this will restrict the use of cyradm to the 
localhost. While I assume this is normally the case, cyradm does have 
the ability to connect to other hosts (much like the mysql client). If 
this is important to you, you will need to investigate other 
authentication mechanisms, use a packet filter to control access to the 
unencrypted port (still risky, depending on the location of the client), 
or offer some code that allows cyradm to use STARTTLS.

As Nikola pointed out, another option is to use an SSL (or SSH) tunnel. 
These always feel kludgy to me, though, and usually indicate the need 
for a better solution.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

(Continue reading)

Patrick Radtke | 10 Jan 17:56

Re: TLS support in cyradm?

If you're building Cyrus yourself then you can just patch it to add  
TLS support.

I don't recall where these patches originally came from (collected  
from past postings I'm told).
Once patched, cyradm takes the password as (-w secret) on the command  
line, so you probably don't want to run it on a public machine.

The patch also make changes to seiveshell, the Cyrus/IMAP perl  
libraries and imclient.c

Attachment (cyrus-starttls.patch): application/octet-stream, 29 KiB


-Patrick
On Jan 10, 2006, at 9:13 AM, Jorey Bump wrote:

> Jorey Bump wrote:
>
>> Apparently cyradm does not have STARTTLS support, yet, so you can  
>> do this in cyrus.conf to ensure that no plaintext service is  
>> exposed to the Internet:
>>   imap          cmd="imapd" listen="localhost:imap" prefork=0
>>   imaps         cmd="imapd -s" listen="imaps" prefork=0
>>   # pop3                cmd="pop3d" listen="localhost:pop3" prefork=0
>>   pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
>> Granted, you sacrifice STARTTLS on ports 110 & 143, but not many  
>> clients seem to support it anyway, and this arrangement will help  
>> to prevent accidental transmission of plaintext passwords.
>

(Continue reading)

Rosenbaum, Larry M. | 10 Jan 22:02

RE: TLS support in cyradm?

I found some patches at 
https://bugzilla.andrew.cmu.edu/attachment.cgi?id=310&action=view

It would be nice if somebody would put them into the base code.

> -----Original Message-----
> From: info-cyrus-bounces <at> lists.andrew.cmu.edu [mailto:info-cyrus-
> bounces <at> lists.andrew.cmu.edu] On Behalf Of Patrick Radtke
> Sent: Tuesday, January 10, 2006 11:57 AM
> To: Jorey Bump
> Cc: info-cyrus <at> lists.andrew.cmu.edu
> Subject: Re: TLS support in cyradm?
> 
> If you're building Cyrus yourself then you can just patch it to add
> TLS support.
> 
> I don't recall where these patches originally came from (collected
> from past postings I'm told).
> Once patched, cyradm takes the password as (-w secret) on the command
> line, so you probably don't want to run it on a public machine.
> 
> The patch also make changes to seiveshell, the Cyrus/IMAP perl
> libraries and imclient.c
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Return

Return to gmane.mail.imap.cyrus.

Advertisement

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane