When the connection to the backend imap server is already a tls encrypted connection guam doesn't really care about what's being entered into unencrypted imap port 143
The default configuration provided by the Kolab:16 packages always proxies to the SSL cyrus imapd and therefore it is possible to authentication without the connection between client and guam gets encrypted.
port 143 is served from guam
# netstat -lanp | grep :::.*beam tcp6 0 0 :::993 :::* LISTEN 26956/beam.smp tcp6 0 0 :::143 :::* LISTEN 26956/beam.smp
netcat session:
$ nc localhost 143 * OK [CAPABILITIES IMAP4rev1 STARTTLS LITERAL+ ID ENABLE SASL-IR LOGINDISABLED] kolab Cyrus IMAP 2.5.10-49-g2e214b4-Debian-2.5.10.49-0~kolab1 server ready a0001 AUTHENTICATE PLAIN xxxxxxxxxxxxxxxxxxxxxx a0001 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY LOGINDISABLED X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] Success (tls protection) SESSIONID=<kolab-26555-1481325756-1-17824217024115701091> a0004 LSUB "" "*" * LSUB (\Noinferiors) "/" INBOX * LSUB () "/" Drafts * LSUB () "/" Sent * LSUB () "/" Spam * LSUB () "/" Trash a0004 OK Completed (0.000 secs 15 calls)
default configuration provided by Kolab:16 package:
https://git.kolab.org/file/data/iinxl4zrxlxuxve57rmi/PHID-FILE-jdmamxgvbwwgd5wfsuis/guam.sys.config.tpl
Workaround:
When iI configure two seperated backends (143 --> 1143 and 993 --> 1993) and assign them correctly I can force the need for an encrypted connection. To fix the default installation we would have to enable imap instances for Port 1143 in cyrus.conf and add a second backend
Other Problem
If you want to offload the ssl encryption and only talk plaintext to the backend there's no chance to disallow plaintext encryption.
Possible Solution/Enhancement
adding a filter/rule to disallow plaintext over unencrypted sessions. This could be done in a similar fashion compared to the groupware folder filterset.