Nathan M
2009-Aug-27 01:27 UTC
[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting
Traditionally this server has only accepted plaintext authentications; however, we want to change that and enable TLS/SSL. The challenge is the server has hundreds of IP addresses it binds to to listen on ports 110/143. Enabling TLS/SSL is not an option because as this is a virtual hosting environment, if a connection comes in on any other hostname other than the specific one tied to the crt all mail clients will throw a mis-matched certificate error if TLS is initiated by the client, and a surprisingly large number of customers have "use TLS if available" selected in their clients. According to most of the suggestions on the list, I've setup 2 dovecot instances. The first listening on *:110 and *:143, and the second listening on 10.0.0.2:993 and 10.0.0.2:995. This works great for SSL support; however, I would also like to offer TLS to connections coming in on a single IP address. Because the server has hundreds of IPs, with new IPs adding all the time, seemingly the only way would be to configure every one of these IPs (as they occur) into the primary dovecot.conf file, and then only setup the single IP that's handling SSL/TLS in the dovecot-ssl.conf (the conf file the SSL/TLS instance loads). This can be time consuming and has no way to automate. It would be terrific if one of the following exists, or potentially could exist: 1. Ideal scenario. A config option which tells TLS to only respond on certain IPs. In our case if a connection attempts to initiate TLS on any IP address except 10.0.0.2, it would respond with no TLS support. This would be ideal as we could continue running just a single dovecot instance. 2. Secondary scenario. A way to exclude an IP from being bound to. Something like the following to bind to all except 10.0.0.2 listen = *:110, -10.0.0.2 As is, based on my understanding of the config neither of these are options. Any support for adding either of these options, or alternate ideas anyone might have? - N
Jase Thew
2009-Aug-27 06:20 UTC
[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting
On 27/08/2009 02:27, Nathan M wrote:> 1. Ideal scenario. A config option which tells TLS to only respond on > certain IPs. In our case if a connection attempts to initiate TLS on > any IP address except 10.0.0.2, it would respond with no TLS support. > This would be ideal as we could continue running just a single dovecot > instance. > >You could use your local flavour of firewall (iptables, ipfw, pf, whatever) with a rule to pass inbound TCP to 10.0.0.2:993 and then a following rule to drop all other inbound TCP to port 993 ? Regards, Jase.
Michael Orlitzky
2009-Aug-27 07:03 UTC
[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting
Nathan M wrote:> Traditionally this server has only accepted plaintext authentications; > however, we want to change that and enable TLS/SSL. The challenge is > the server has hundreds of IP addresses it binds to to listen on ports > 110/143.It may be 3am, but I'm pretty sure that this is the part of your setup that doesn't make sense. Why does your POP/IMAP server need to be accessed via so many addresses?
Timo Sirainen
2009-Aug-27 13:54 UTC
[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting
On Wed, 2009-08-26 at 18:27 -0700, Nathan M wrote:> 1. Ideal scenario. A config option which tells TLS to only respond on > certain IPs. In our case if a connection attempts to initiate TLS on > any IP address except 10.0.0.2, it would respond with no TLS support. > This would be ideal as we could continue running just a single dovecot > instance.Dovecot v2.0 supports this. I'm hoping to get the first alpha version out in a month or two. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090827/965e6286/attachment-0002.bin>
Nathan M
2009-Aug-27 14:40 UTC
[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting
On Thu, Aug 27, 2009 at 6:54 AM, Timo Sirainen<tss at iki.fi> wrote:> On Wed, 2009-08-26 at 18:27 -0700, Nathan M wrote: >> 1. Ideal scenario. ?A config option which tells TLS to only respond on >> certain IPs. ?In our case if a connection attempts to initiate TLS on >> any IP address except 10.0.0.2, it would respond with no TLS support. >> This would be ideal as we could continue running just a single dovecot >> instance. > > Dovecot v2.0 supports this. I'm hoping to get the first alpha version > out in a month or two. >Timo, that's terrific to hear!! I think we'll just support SSL only for now, and when 2.0 is stable we can offer SSL+TLS. Thanks for the absolutely incredible software. - N
Possibly Parallel Threads
- Curious problem: Plaintext authentication disallowed on non-secure (SSL/TLS) [read: all] connections.
- Using plaintext auth and SSL
- Openssl vulnerability - SSL/ TLS Renegotion Handshakes
- PHP API for Manager - Plaintext auth needed?
- Cannot get plaintext auth working on IMAP or POP