diff -Naurp cyrus-imapd-2.3.13/imap/imapd.c cyrus-imapd-2.3.13.oden/imap/imapd.c --- cyrus-imapd-2.3.13/imap/imapd.c 2008-12-16 12:26:39.000000000 +0100 +++ cyrus-imapd-2.3.13.oden/imap/imapd.c 2008-12-16 12:25:47.000000000 +0100 @@ -121,6 +121,7 @@ static char shutdownfilename[1024]; static int imaps = 0; static sasl_ssf_t extprops_ssf = 0; static int nosaslpasswdcheck = 0; +static int imapd_allow_plaintext = 0; /* PROXY STUFF */ /* we want a list of our outgoing connections here and which one we're @@ -664,7 +665,10 @@ int service_init(int argc, char **argv, snmp_connect(); /* ignore return code */ snmp_set_str(SERVER_NAME_VERSION,CYRUS_VERSION); - while ((opt = getopt(argc, argv, "sp:N")) != EOF) { + /* set defaults for allowplaintext */ + imapd_allow_plaintext=config_getswitch(IMAPOPT_ALLOWPLAINTEXT); + + while ((opt = getopt(argc, argv, "stp:N")) != EOF) { switch (opt) { case 's': /* imaps (do starttls right away) */ imaps = 1; @@ -681,6 +685,9 @@ int service_init(int argc, char **argv, * you know what you're doing! */ nosaslpasswdcheck = 1; break; + case 't': /* allowplaintext: no */ + imapd_allow_plaintext=0; + break; default: break; } @@ -2048,7 +2055,7 @@ void cmd_login(char *tag, char *user) /* possibly disallow login */ if (!imapd_starttls_done && (extprops_ssf < 2) && - !config_getswitch(IMAPOPT_ALLOWPLAINTEXT) && + !imapd_allow_plaintext && !is_userid_anonymous(canon_user)) { eatline(imapd_in, ' '); prot_printf(imapd_out, "%s NO Login only available under a layer\r\n", @@ -2693,7 +2700,7 @@ void capa_response(int flags) } if (imapd_authstate || (!imapd_starttls_done && (extprops_ssf < 2) && - !config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + !imapd_allow_plaintext)) { prot_printf(imapd_out, " LOGINDISABLED"); } diff -Naurp cyrus-imapd-2.3.13/imap/pop3d.c cyrus-imapd-2.3.13.oden/imap/pop3d.c --- cyrus-imapd-2.3.13/imap/pop3d.c 2008-12-16 12:26:39.000000000 +0100 +++ cyrus-imapd-2.3.13.oden/imap/pop3d.c 2008-12-16 12:22:03.000000000 +0100 @@ -134,6 +134,7 @@ struct msg { static sasl_ssf_t extprops_ssf = 0; static int pop3s = 0; int popd_starttls_done = 0; +static int popd_allow_plaintext = 0; static struct mailbox mboxstruct; @@ -431,7 +432,10 @@ int service_init(int argc __attribute__( fatal(error_message(r), EC_CONFIG); } - while ((opt = getopt(argc, argv, "skp:")) != EOF) { + /* set defaults for allowplaintext */ + popd_allow_plaintext=config_getswitch(IMAPOPT_ALLOWPLAINTEXT); + + while ((opt = getopt(argc, argv, "skpt:")) != EOF) { switch(opt) { case 's': /* pop3s (do starttls right away) */ pop3s = 1; @@ -450,6 +454,9 @@ int service_init(int argc __attribute__( extprops_ssf = atoi(optarg); break; + case 't': /* allowplaintext: no */ + popd_allow_plaintext=0; + break; default: usage(); } @@ -1219,7 +1226,7 @@ void cmd_user(char *user) /* possibly disallow USER */ if (!(kflag || popd_starttls_done || (extprops_ssf > 1) || - config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + popd_allow_plaintext)) { prot_printf(popd_out, "-ERR [AUTH] USER command only available under a layer\r\n"); return; @@ -1389,7 +1396,7 @@ void cmd_capa() if (!popd_authstate && (kflag || popd_starttls_done || (extprops_ssf > 1) - || config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) { + || popd_allow_plaintext)) { prot_printf(popd_out, "USER\r\n"); } diff -Naurp cyrus-imapd-2.3.13/man/imapd.8 cyrus-imapd-2.3.13.oden/man/imapd.8 --- cyrus-imapd-2.3.13/man/imapd.8 2008-08-20 22:41:16.000000000 +0200 +++ cyrus-imapd-2.3.13.oden/man/imapd.8 2008-12-16 12:22:03.000000000 +0100 @@ -68,6 +68,9 @@ imapd \- IMAP server process .B \-N ] [ +.B \-t +] +[ .B \-p .I ssf ] @@ -144,6 +147,11 @@ is encrypted using the Secure Sockets La .BI \-N Bypass password checking. (Not recommended unless you know what you're doing.) .TP +.BI \-t +Do not allow the use of cleartext passwords on the wire. Equivalent to setting +.I allowplaintext: no +in the configuration file. +.TP .BI \-p " ssf" Tell .I imapd diff -Naurp cyrus-imapd-2.3.13/man/pop3d.8 cyrus-imapd-2.3.13.oden/man/pop3d.8 --- cyrus-imapd-2.3.13/man/pop3d.8 2008-04-04 14:47:00.000000000 +0200 +++ cyrus-imapd-2.3.13.oden/man/pop3d.8 2008-12-16 12:22:03.000000000 +0100 @@ -65,6 +65,9 @@ pop3d \- POP3 server process .B \-s ] [ +.B \-t +] +[ .B \-k ] [ @@ -119,6 +122,11 @@ Serve POP3 over SSL (pop3s). All data t .I pop3d is encrypted using the Secure Sockets Layer. .TP +.BI \-t +Do not allow the use of cleartext passwords on the wire. Equivalent to setting +.I allowplaintext: no +in the configuration file. +.TP .B \-k Serve MIT's KPOP (Kerberized POP) protocol instead. .TP