Univention Bugzilla – Bug 38803
ucs-test: UCR configuration to disallow plain text passwords over non-TLS connections
Last modified: 2023-03-25 06:49:50 CET
Please check if plaintext authentication without encrypted connection is disallowed by default and may be configured via UCR for dovecot and cyrus. +++ This bug was initially created as a clone of Bug #38500 +++ In our Cyrus imapd.conf UCR template the values for "allowplaintext" and "sasl_mech_list" are hard coded. In order to disallow plain text passwords over non-TLS connections these two options should be set to the following values: allowplaintext: no (currently yes) sasl_mech_list: PLAIN (currently the same value) man 5 imapd.conf reads as follows: If you only list plaintext authentication mechanisms in ``sasl_mech_list'' and set ``allowplaintext: no'', only users on encrypted sessions (TLS or SSL) will be able to authenticate. On the other hand, if you list no plaintext authentication options in ``sasl_mech_list'', ``allowplaintext: yes'' would have no effect.
A new test script with the name "40_mail/28_plain_text_passwords_over_nonTLS" to test the mentioned cases. Tested for dovecot and cyrus.
For this bug is no separate QA needed.