[horde] Force cram-md5 authentication.

Arjen de Korte arjen+horde at de-korte.org
Tue Oct 11 07:29:44 UTC 2016 

Citeren "Michael C. Robinson" <plug_1 at robinson-west.com>:

> I've changed backends.local.php to this:

This is broken in so many ways, I don't know where to start.

> <?php> 
> $servers['secure-imap'] = array> (
>      'disabled' => false,
>      'name' => 'robinson-west.com',
>      'hostspec' => 'mail.robinson-west.com',
>      'hordeauth' => full,
>      'protocol' => 'imap',
>      'port' => 993,
>      'secure' => 'tls',
>      'maildomain' => 'robinson-west.com',
>      'acl' => true,
>      'cache' => false,
>      'use_clear_passwd' => false,
>  );> ?>

Before doing anything else, read the comments in the header section of  
<horde>/imp/config/backends.php. Now read them again.

Besides the style issue (you shouldn't redefine the array, but rather  
only set the variables that need changing) you didn't disable the  
default setting. The following <horde>/imp/config/backends.local.php  
should get you started:

<?php
$servers['imap']['disabled'] = true;
$servers['advanced']['secure'] = false;
$servers['advanced']['name'] = 'robinson-west.com';
$servers['advanced']['hostspec'] = 'mail.robinson-west.com';
$servers['advanced']['hordeauth'] = 'full';
$servers['advanced']['maildomain'] = 'robinson-west.com';

^^^^ do not add closing

> Still not getting horde to do cram-md5...

Why do you insist to use cram-md5 over a secured link? That doesn't  
make sense at all and besides wasting some CPU cycles does nothing for  
security.

> I closed off imap port 143, only 993 is open.

Using port 993 is deprecated, use 'tls' over port 143 instead. Dovecot  
will not allow PLAIN of LOGIN by default anyway if the connection  
isn't secure (either because you're connecting through localhost or  
the connection is using some sort of encryption). Unless you told it  
otherwise, it will only offer PLAIN logins when the connection is  
secure.

> I'm using dovecot 2.x that comes with CentOS 6.
>
> If horde can't do cram-md5 like evolution can,
> what is the best alternative for security?

You should only use cram-md5 if your connection isn't secured by  
SSL/TLS. Horde and Dovecot are perfectly capable of figuring out which  
mechanism to use out of the box.

More information about the horde mailing list