I want Cyrus IMAP to only allow logins over a TLS connection, so I've set allowplaintext: no in the /etc/imapd.conf file. However, this prevents me from logging in to cyradm as well:
Code:
linux:/etc # su - cyrus
cyrus@linux:~> cyradm --auth login localhost
IMAP Password:Login only available under a layer at /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/Cyrus/IMAP/Admin.pm line 118
cyradm: cannot authenticate to server with login as cyrus
cyrus@linux:~>
imtest has an option to not only specify the mechanism to use, but also specify that a TLS connection should be negotiated. imtest -m -t will let me login normally:
Code:
cyrus@linux:~> imtest -m login -t "" localhost
S: * OK linux Cyrus IMAP4 v2.2.3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED X-NETSCAPE
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN SASL-IR X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 256
I can't seem to find a similar option with cyradm. How can I make cyradm negotiate a TLS connection before using the login mechanism? Or is there another way to enable the cyrus user to login while still disallowing plaintext logins?