Re: TLS support in cyradm?

Jorey Bump wrote:

> Apparently cyradm does not have STARTTLS support, yet, so you can do 
> this in cyrus.conf to ensure that no plaintext service is exposed to the 
> Internet:
> 
>   imap          cmd="imapd" listen="localhost:imap" prefork=0
>   imaps         cmd="imapd -s" listen="imaps" prefork=0
>   # pop3                cmd="pop3d" listen="localhost:pop3" prefork=0
>   pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
> 
> Granted, you sacrifice STARTTLS on ports 110 & 143, but not many clients 
> seem to support it anyway, and this arrangement will help to prevent 
> accidental transmission of plaintext passwords.

I should also point out that this will restrict the use of cyradm to the 
localhost. While I assume this is normally the case, cyradm does have 
the ability to connect to other hosts (much like the mysql client). If 
this is important to you, you will need to investigate other 
authentication mechanisms, use a packet filter to control access to the 
unencrypted port (still risky, depending on the location of the client), 
or offer some code that allows cyradm to use STARTTLS.

As Nikola pointed out, another option is to use an SSL (or SSH) tunnel. 
These always feel kludgy to me, though, and usually indicate the need 
for a better solution.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html