Univention Bugzilla – Bug 37187
imapd allows cleartext password without encryption
Last modified: 2018-03-14 14:37:56 CET
Currently the imapd allows authentication via cleartext passwords without encryption on the wire. This should be configurable and turned off by default. root@master:~# grep allowplaintext /etc/imapd/imapd.conf allowplaintext: yes root@master:~# ---[man imapd.conf]--- allowplaintext: 0 Allow the use of cleartext passwords on the wire. ----------------------
From the man page: If you only list plaintext authentication mechanisms in ``sasl_mech_list'' and set ``allowplaintext: no'', only users on encrypted sessions (TLS or SSL) will be able to authenticate. sasl_mech_list is hardcoded to "PLAIN" via UCR template. It would be helpful if allowplaintext is configurable via UCR.
Just to make it clear: only cyrus is affected; dovecot is not affected
There is a Customer ID set so I set the flag "Enterprise Customer affected".
@Daniel, Sönke: This can be WONTFIX if we drop cyrus in UCS 4.3.
(In reply to Florian Best from comment #4) > @Daniel, Sönke: > This can be WONTFIX if we drop cyrus in UCS 4.3. Yes. I have added a TODO to Bug #46102, in case it is fixed.
Cyrus IMAP is no longer supported as of UCS 4.3-0 → WONTFIX
ACK
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".