headers
Patrick Radtke | 10 Jan 17:56
Favicon

Re: TLS support in cyradm?

If you're building Cyrus yourself then you can just patch it to add  
TLS support.

I don't recall where these patches originally came from (collected  
from past postings I'm told).
Once patched, cyradm takes the password as (-w secret) on the command  
line, so you probably don't want to run it on a public machine.

The patch also make changes to seiveshell, the Cyrus/IMAP perl  
libraries and imclient.c
Attachment (cyrus-starttls.patch): application/octet-stream, 29 KiB

-Patrick
On Jan 10, 2006, at 9:13 AM, Jorey Bump wrote:

> Jorey Bump wrote:
>
>> Apparently cyradm does not have STARTTLS support, yet, so you can  
>> do this in cyrus.conf to ensure that no plaintext service is  
>> exposed to the Internet:
>>   imap          cmd="imapd" listen="localhost:imap" prefork=0
>>   imaps         cmd="imapd -s" listen="imaps" prefork=0
>>   # pop3                cmd="pop3d" listen="localhost:pop3" prefork=0
>>   pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
>> Granted, you sacrifice STARTTLS on ports 110 & 143, but not many  
>> clients seem to support it anyway, and this arrangement will help  
>> to prevent accidental transmission of plaintext passwords.
>
> I should also point out that this will restrict the use of cyradm  
> to the localhost. While I assume this is normally the case, cyradm  
> does have the ability to connect to other hosts (much like the  
> mysql client). If this is important to you, you will need to  
> investigate other authentication mechanisms, use a packet filter to  
> control access to the unencrypted port (still risky, depending on  
> the location of the client), or offer some code that allows cyradm  
> to use STARTTLS.
>
> As Nikola pointed out, another option is to use an SSL (or SSH)  
> tunnel. These always feel kludgy to me, though, and usually  
> indicate the need for a better solution.
> ----
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>


----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Permalink | Reply |

Gmane