Univention Bugzilla – Bug 38500
UCR configuration to disallow plain text passwords over non-TLS connections
Last modified: 2015-07-09 18:09:12 CEST
In our Cyrus imapd.conf UCR template the values for "allowplaintext" and "sasl_mech_list" are hard coded. In order to disallow plain text passwords over non-TLS connections these two options should be set to the following values: allowplaintext: no (currently yes) sasl_mech_list: PLAIN (currently the same value) man 5 imapd.conf reads as follows: If you only list plaintext authentication mechanisms in ``sasl_mech_list'' and set ``allowplaintext: no'', only users on encrypted sessions (TLS or SSL) will be able to authenticate. On the other hand, if you list no plaintext authentication options in ``sasl_mech_list'', ``allowplaintext: yes'' would have no effect.
A boolean UCRV mail/cyrus/imap/allowplaintext was added with the default "yes" (to preserve current behaviour). Commit: 61214 Package: component/dovecot/univention-mail-cyrus YAML: component/dovecot/doc/2015-06-12-univention-mail-cyrus.yaml
r61658 fixes the UCRV description.
(In reply to Daniel Tröder from comment #1) > A boolean UCRV mail/cyrus/imap/allowplaintext was added with the default > "yes" (to preserve current behaviour). I think, we should switch to the more secure variant "no" and describe in one sentence in YAML file how to get back to old behaviour: "To restore the old behaviour set the UCR variable mail/cyrus/imap/allowplaintext to 'yes'." → REOPEN > Commit: 61214 > Package: component/dovecot/univention-mail-cyrus > YAML: component/dovecot/doc/2015-06-12-univention-mail-cyrus.yaml Memo: the YAML file is only a draft (not final scope, build version, ...). → version should be "[2]" → functional test was successful → see log below → OK DOVECOT: root@slave22b:~# ucr search dovecot.*allow mail/dovecot/auth/allowplaintext: <empty> sschwardt@dave:~$ telnet 10.200.18.22 143 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. ^] telnet> QUIT Connection closed. sschwardt@dave:~$ telnet 10.200.18.22 110 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. +OK Dovecot ready. USER mail5@nstx.local -ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections. QUIT +OK Logging out Connection closed by foreign host. sschwardt@dave:~$ telnet 10.200.18.22 4190 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags notify" "NOTIFY" "mailto" "SASL" "" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready." root@slave22b:~# ucr set mail/dovecot/auth/allowplaintext=yes Create mail/dovecot/auth/allowplaintext File: /etc/dovecot/conf.d/10-auth.conf File: /usr/sbin/univention-sa-learn Multifile: /etc/postfix/ldap.sharedfolderlocal root@slave22b:~# invoke-rc.d dovecot reload Reloading IMAP/POP3 mail server: dovecot. sschwardt@dave:~$ telnet 10.200.18.22 143 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ^] telnet> QUIT Connection closed. sschwardt@dave:~$ telnet 10.200.18.22 110 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. +OK Dovecot ready. USER mail5@nstx.local +OK PASS univention +OK Logged in. QUIT +OK Logging out. Connection closed by foreign host. sschwardt@dave:~$ telnet 10.200.18.22 4190 Trying 10.200.18.22... Connected to 10.200.18.22. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags notify" "NOTIFY" "mailto" "SASL" "PLAIN LOGIN" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready." CYRUS: sschwardt@dave:~$ telnet 10.200.18.40 143 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN SASL-IR] master40 Cyrus IMAP v2.4.16-Debian-2.4.16-4.32.201410011447 server ready a01 login mail5@nstx.local univention a01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] User logged in SESSIONID=<cyrus-19828-1417022520-1> sschwardt@dave:~$ telnet 10.200.18.40 110 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. +OK master40 Cyrus POP3 v2.4.16-Debian-2.4.16-4.32.201410011447 server ready <13682781212978981873.1417022468@master40> USER mail5@nstx.local +OK Name is a valid mailbox PASS univention +OK Mailbox locked and ready SESSIONID=<cyrus-19709-1417022468-1> sschwardt@dave:~$ telnet 10.200.18.40 4190 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. "IMPLEMENTATION" "Cyrus timsieved v2.4.16-Debian-2.4.16-4.32.201410011447" "SASL" "PLAIN" "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" "STARTTLS" "UNAUTHENTICATE" OK root@master40:~# ucr set mail/cyrus/auth/allowplaintext=no Create mail/cyrus/auth/allowplaintext File: /etc/imapd/imapd.conf Module: ox-config root@master40:~# invoke-rc.d cyrus-imapd restart Restarting Cyrus IMAPd: cyrmaster. sschwardt@dave:~$ telnet 10.200.18.40 143 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] master40 Cyrus IMAP v2.4.16-Debian-2.4.16-4.32.201410011447 server ready a01 login mail5@nstx.local univention a01 NO Login only available under a layer sschwardt@dave:~$ telnet 10.200.18.40 110 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. +OK master40 Cyrus POP3 v2.4.16-Debian-2.4.16-4.32.201410011447 server ready <6832993858002959923.1417022823@master40> USER mail5@nstx.local -ERR [AUTH] USER command only available under a layer sschwardt@dave:~$ telnet 10.200.18.40 4190 Trying 10.200.18.40... Connected to 10.200.18.40. Escape character is '^]'. "IMPLEMENTATION" "Cyrus timsieved v2.4.16-Debian-2.4.16-4.32.201410011447" "SASL" "" "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" "STARTTLS" "UNAUTHENTICATE" OK AUTHENTICATE "PLAIN" "AG1haWw1QG5zdHgubG9jYWwAdW5pdmVudGlvbg==" NO "Authentication Error" QUIT Connection closed by foreign host.
* Default setting of mail/cyrus/imap/allowplaintext changed to false in commit 61836. A warning message is printed only once for an update. * YAML version fixed in r61837.
(In reply to Daniel Tröder from comment #4) > * Default setting of mail/cyrus/imap/allowplaintext changed to false in > commit 61836. A warning message is printed only once for an update. > * YAML version fixed in r61837. OK → VERIFIED
<http://errata.univention.de/ucs/4.0/236.html>