Re: TLS support in cyradm?

Rosenbaum, Larry M. wrote:
> Is there a way to get cyradm to use TLS (or STARTTLS) when connecting to
> the server?  We are planning to authenticate with /etc/shadow using
> saslauthd, and use TLS to avoid putting plaintext passwords on the wire.
> However, I have found out that specifying
> 
> allowplaintext: 0
> 
> prevents us from using cyradm.

Apparently cyradm does not have STARTTLS support, yet, so you can do 
this in cyrus.conf to ensure that no plaintext service is exposed to the 
Internet:

   imap          cmd="imapd" listen="localhost:imap" prefork=0
   imaps         cmd="imapd -s" listen="imaps" prefork=0
   # pop3                cmd="pop3d" listen="localhost:pop3" prefork=0
   pop3s         cmd="pop3d -s" listen="pop3s" prefork=0

Granted, you sacrifice STARTTLS on ports 110 & 143, but not many clients 
seem to support it anyway, and this arrangement will help to prevent 
accidental transmission of plaintext passwords.

----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html