Does Zimbra support IMAP Secure Authentication?

[zzzzsg]

Hi All

When I select "Use secure authentication" in my IMAP server settings in Thunderbird, I get this error "You cannot log in to myimapserver.domain.com because you have enabled secure authentication and this server does not support it. " (see attached screenshots).

My question - does Zimbra support IMAP Secure Authentication?
Is there anything I should do on the Zimbra server?
Everything seems working in Zimbra - nothing in zimbra.log.
All services running - including saslauthd (although I don't know if this is related to Secure authentication).

I am using Zimbra 3.1 on Fedora 4.
"Use SSL connection" in Thunderbird works, but "Use secure authentication" does not.
I've also enabled both "Use SSL" and "Use secure authentication" at the same time, but it still gave the same error message.

From my understanding, Thunderbird IMAP server settting "Use secure authentication" means that the client and server negotiate whether they want to use CRAM-MD5, MD5-digest or Kerberos to authenticate the user without sending the password across the network.
Now, does Zimbra support this? Can somebody advise?

Thank you very much in anticipation.

gui

[KevinH]

Try using just SSL for IMPA. Make sure in the Admin UI you have SSL enabled for IMAP.

[zzzzsg]

Hi Kevin

I've tried that before and it worked, but that is not what we want.
We don't want the entire IMAP to be SSL.
Only want Secure Authentication.

Thanks.

gui

Try using just SSL for IMPA. Make sure in the Admin UI you have SSL enabled for IMAP.

[KevinH]

Ok then that would be an enhancement request. I don't think we support that today.

[awtohost]

While on the subject zimbra does not support encrypted mails
like PGP or anyother format

[phoenix]

While on the subject zimbra does not support encrypted mails
like PGP or anyother format

Search bugzilla for 'pgp'.

[Rich Graves]

In the 3 years since the original post, Zimbra has added kerberos. Configuration is complex, but big kerberos shops are used to that.

The md5 challenge/response mechanisms require the server to store a cleartext or cleartext-equivalent password, which is generally considered undesirable. Recent null-byte and rekeying news notwithstanding, SSL3/TLS is better... and best is kerberos, client certs, or one-time passwords over TLS.

As for PGP, I'd say that Zimbra is 100% in sync with PGP's security model, which is that user keyrings should never be stored on servers (neither pubring nor secring). Keys should live on your single-user workstation. You can use an IMAP client, or possibly a browser plugin like FireGPG.