diff -Naurp cyrus-imapd-2.3.12p2/imap/imapd.c cyrus-imapd-2.3.12p2.oden/imap/imapd.c --- cyrus-imapd-2.3.12p2/imap/imapd.c 2008-04-13 17:40:29.000000000 +0200 +++ cyrus-imapd-2.3.12p2.oden/imap/imapd.c 2008-05-18 18:24:05.000000000 +0200 @@ -120,6 +120,7 @@ const int config_need_data = CONFIG_NEED static char shutdownfilename[1024]; static int imaps = 0; static sasl_ssf_t extprops_ssf = 0; +static int imapd_allow_plaintext = 0; /* PROXY STUFF */ /* we want a list of our outgoing connections here and which one we're @@ -662,7 +663,10 @@ int service_init(int argc, char **argv, snmp_connect(); /* ignore return code */ snmp_set_str(SERVER_NAME_VERSION,CYRUS_VERSION); - while ((opt = getopt(argc, argv, "sp:")) != EOF) { + /* set defaults for allowplaintext */ + imapd_allow_plaintext=config_getswitch(IMAPOPT_ALLOWPLAINTEXT); + + while ((opt = getopt(argc, argv, "stp:")) != EOF) { switch (opt) { case 's': /* imaps (do starttls right away) */ imaps = 1; @@ -675,6 +679,9 @@ int service_init(int argc, char **argv, case 'p': /* external protection */ extprops_ssf = atoi(optarg); break; + case 't': /* allowplaintext: no */ + imapd_allow_plaintext=0; + break; default: break; } @@ -2005,7 +2012,7 @@ void cmd_login(char *tag, char *user) /* possibly disallow login */ if (!imapd_starttls_done && (extprops_ssf < 2) && - !config_getswitch(IMAPOPT_ALLOWPLAINTEXT) && + !imapd_allow_plaintext && !is_userid_anonymous(canon_user)) { eatline(imapd_in, ' '); prot_printf(imapd_out, "%s NO Login only available under a layer\r\n", @@ -2637,7 +2644,7 @@ void capa_response(int flags) } if (imapd_authstate || (!imapd_starttls_done && (extprops_ssf < 2) && - !config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + !imapd_allow_plaintext)) { prot_printf(imapd_out, " LOGINDISABLED"); } diff -Naurp cyrus-imapd-2.3.12p2/imap/pop3d.c cyrus-imapd-2.3.12p2.oden/imap/pop3d.c --- cyrus-imapd-2.3.12p2/imap/pop3d.c 2008-04-11 22:07:00.000000000 +0200 +++ cyrus-imapd-2.3.12p2.oden/imap/pop3d.c 2008-05-18 18:29:34.000000000 +0200 @@ -134,6 +134,7 @@ struct msg { static sasl_ssf_t extprops_ssf = 0; static int pop3s = 0; int popd_starttls_done = 0; +static int popd_allow_plaintext = 0; static struct mailbox mboxstruct; @@ -429,7 +430,10 @@ int service_init(int argc __attribute__( fatal(error_message(r), EC_CONFIG); } - while ((opt = getopt(argc, argv, "skp:")) != EOF) { + /* set defaults for allowplaintext */ + popd_allow_plaintext=config_getswitch(IMAPOPT_ALLOWPLAINTEXT); + + while ((opt = getopt(argc, argv, "skpt:")) != EOF) { switch(opt) { case 's': /* pop3s (do starttls right away) */ pop3s = 1; @@ -448,6 +452,9 @@ int service_init(int argc __attribute__( extprops_ssf = atoi(optarg); break; + case 't': /* allowplaintext: no */ + popd_allow_plaintext=0; + break; default: usage(); } @@ -1217,7 +1224,7 @@ void cmd_user(char *user) /* possibly disallow USER */ if (!(kflag || popd_starttls_done || (extprops_ssf > 1) || - config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + popd_allow_plaintext)) { prot_printf(popd_out, "-ERR [AUTH] USER command only available under a layer\r\n"); return; @@ -1386,7 +1393,7 @@ void cmd_capa() if (!popd_mailbox && !backend && (kflag || popd_starttls_done || (extprops_ssf > 1) - || config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + || popd_allow_plaintext)) { prot_printf(popd_out, "USER\r\n"); } diff -Naurp cyrus-imapd-2.3.12p2/man/imapd.8 cyrus-imapd-2.3.12p2.oden/man/imapd.8 --- cyrus-imapd-2.3.12p2/man/imapd.8 2008-04-04 14:46:54.000000000 +0200 +++ cyrus-imapd-2.3.12p2.oden/man/imapd.8 2008-05-18 18:17:29.000000000 +0200 @@ -65,6 +65,9 @@ imapd \- IMAP server process .B \-s ] [ +.B \-t +] +[ .B \-p .I ssf ] @@ -138,6 +141,11 @@ Serve IMAP over SSL (imaps). All data t .I imapd is encrypted using the Secure Sockets Layer. .TP +.BI \-t +Do not allow the use of cleartext passwords on the wire. Equivalent to setting +.I allowplaintext: no +in the configuration file. +.TP .BI \-p " ssf" Tell .I imapd diff -Naurp cyrus-imapd-2.3.12p2/man/pop3d.8 cyrus-imapd-2.3.12p2.oden/man/pop3d.8 --- cyrus-imapd-2.3.12p2/man/pop3d.8 2008-04-04 14:47:00.000000000 +0200 +++ cyrus-imapd-2.3.12p2.oden/man/pop3d.8 2008-05-18 18:17:29.000000000 +0200 @@ -65,6 +65,9 @@ pop3d \- POP3 server process .B \-s ] [ +.B \-t +] +[ .B \-k ] [ @@ -119,6 +122,11 @@ Serve POP3 over SSL (pop3s). All data t .I pop3d is encrypted using the Secure Sockets Layer. .TP +.BI \-t +Do not allow the use of cleartext passwords on the wire. Equivalent to setting +.I allowplaintext: no +in the configuration file. +.TP .B \-k Serve MIT's KPOP (Kerberized POP) protocol instead. .TP