diff -Naur cyrus-imapd-2.3.8/imap/imapd.c cyrus-imapd-2.3.8.oden/imap/imapd.c --- cyrus-imapd-2.3.8/imap/imapd.c 2007-02-05 19:49:55.000000000 +0100 +++ cyrus-imapd-2.3.8.oden/imap/imapd.c 2007-05-26 20:48:26.000000000 +0200 @@ -117,6 +117,7 @@ static char shutdownfilename[1024]; static int imaps = 0; static sasl_ssf_t extprops_ssf = 0; +static int imapd_allow_plaintext = 0; /* PROXY STUFF */ /* we want a list of our outgoing connections here and which one we're @@ -657,7 +658,10 @@ snmp_connect(); /* ignore return code */ snmp_set_str(SERVER_NAME_VERSION,CYRUS_VERSION); - while ((opt = getopt(argc, argv, "sp:")) != EOF) { + /* set defaults for allowplaintext */ + imapd_allow_plaintext=config_getswitch(IMAPOPT_ALLOWPLAINTEXT); + + while ((opt = getopt(argc, argv, "stp:")) != EOF) { switch (opt) { case 's': /* imaps (do starttls right away) */ imaps = 1; @@ -670,6 +674,9 @@ case 'p': /* external protection */ extprops_ssf = atoi(optarg); break; + case 't': /* allowplaintext: no */ + imapd_allow_plaintext=0; + break; default: break; } @@ -1943,7 +1950,7 @@ /* possibly disallow login */ if ((imapd_starttls_done == 0) && - (config_getswitch(IMAPOPT_ALLOWPLAINTEXT) == 0) && + (imapd_allow_plaintext == 0) && !is_userid_anonymous(canon_user)) { eatline(imapd_in, ' '); prot_printf(imapd_out, "%s NO Login only available under a layer\r\n", @@ -2573,7 +2580,7 @@ prot_printf(imapd_out, " STARTTLS"); } if (imapd_authstate || - (!imapd_starttls_done && !config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + (!imapd_starttls_done && !imapd_allow_plaintext)) { prot_printf(imapd_out, " LOGINDISABLED"); } diff -Naur cyrus-imapd-2.3.8/imap/pop3d.c cyrus-imapd-2.3.8.oden/imap/pop3d.c --- cyrus-imapd-2.3.8/imap/pop3d.c 2007-02-05 19:41:48.000000000 +0100 +++ cyrus-imapd-2.3.8.oden/imap/pop3d.c 2007-05-26 21:02:13.000000000 +0200 @@ -133,6 +133,7 @@ static sasl_ssf_t extprops_ssf = 0; static int pop3s = 0; int popd_starttls_done = 0; +static int popd_allow_plaintext = 0; static struct mailbox mboxstruct; @@ -415,7 +416,10 @@ fatal(error_message(r), EC_CONFIG); } - while ((opt = getopt(argc, argv, "skp:")) != EOF) { + /* set defaults for allowplaintext */ + popd_allow_plaintext=config_getswitch(IMAPOPT_ALLOWPLAINTEXT); + + while ((opt = getopt(argc, argv, "skpt:")) != EOF) { switch(opt) { case 's': /* pop3s (do starttls right away) */ pop3s = 1; @@ -434,6 +438,9 @@ extprops_ssf = atoi(optarg); break; + case 't': /* allowplaintext: no */ + popd_allow_plaintext=0; + break; default: usage(); } @@ -1198,7 +1205,7 @@ /* possibly disallow USER */ if (!(kflag || popd_starttls_done || - config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + popd_allow_plaintext)) { prot_printf(popd_out, "-ERR [AUTH] USER command only available under a layer\r\n"); return; @@ -1344,10 +1351,10 @@ if (!popd_mailbox && !backend && (kflag || popd_starttls_done - || config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + || popd_allow_plaintext)) { prot_printf(popd_out, "USER\r\n"); } - + prot_printf(popd_out, "IMPLEMENTATION Cyrus POP3%s server %s\r\n", config_mupdate_server ? " Murder" : "", CYRUS_VERSION); diff -Naur cyrus-imapd-2.3.8/man/imapd.8 cyrus-imapd-2.3.8.oden/man/imapd.8 --- cyrus-imapd-2.3.8/man/imapd.8 2002-10-03 21:02:41.000000000 +0200 +++ cyrus-imapd-2.3.8.oden/man/imapd.8 2007-05-26 20:48:26.000000000 +0200 @@ -64,6 +64,9 @@ .B \-s ] [ +.B \-t +] +[ .B \-p .I ssf ] @@ -137,6 +140,11 @@ .I imapd is encrypted using the Secure Sockets Layer. .TP +.BI \-t +Do not allow the use of cleartext passwords on the wire. Equivalent to setting +.I allowplaintext: no +in the configuration file. +.TP .BI \-p " ssf" Tell .I imapd diff -Naur cyrus-imapd-2.3.8/man/pop3d.8 cyrus-imapd-2.3.8.oden/man/pop3d.8 --- cyrus-imapd-2.3.8/man/pop3d.8 2006-11-30 18:11:23.000000000 +0100 +++ cyrus-imapd-2.3.8.oden/man/pop3d.8 2007-05-26 20:48:26.000000000 +0200 @@ -64,6 +64,9 @@ .B \-s ] [ +.B \-t +] +[ .B \-k ] [ @@ -118,6 +121,11 @@ .I pop3d is encrypted using the Secure Sockets Layer. .TP +.BI \-t +Do not allow the use of cleartext passwords on the wire. Equivalent to setting +.I allowplaintext: no +in the configuration file. +.TP .B \-k Serve MIT's KPOP (Kerberized POP) protocol instead. .TP