I have a Dovecot cluster which is on separate machines from my webmail/caldav/cardav cluster, and I currently have the system setup with ssl = required. Unfortunately the caldav/cardav server I am running doesn't support STARTTLS so I was wondering if there is a way to still enforce ssl for every connection with the exception of a certain subnet, or if there is a better way to accomplish this without install a local install of Dovecot on each of my caldav/cardav servers.
Am 08.12.2014 um 19:41 schrieb List:> I have a Dovecot cluster which is on separate machines from my > webmail/caldav/cardav cluster, and I currently have the system setup > with ssl = required. Unfortunately the caldav/cardav server I am > running doesn't support STARTTLS so I was wondering if there is a way to > still enforce ssl for every connection with the exception of a certain > subnet, or if there is a better way to accomplish this without install a > local install of Dovecot on each of my caldav/cardav servers.perhaps this helps http://wiki2.dovecot.org/SSL/DovecotConfiguration?highlight=%28trusted%29 There are a couple of different ways to specify when SSL/TLS is required: disable_plaintext_auth=yes allows plaintext authentication only when SSL/TLS is used first. ssl = required requires SSL/TLS also for non-plaintext authentication. If you have only plaintext mechanisms enabled (auth { mechanisms plain login } ), you can use either (or both) of the above settings. They behave exactly the same way then. Note that plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they're assumed to be secure anyway. This applies to all connections where the local and the remote IP addresses are equal. Also IP ranges specified by login_trusted_networks setting are assumed to be secure.<<<< Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 12/8/14, 1:45 PM, Robert Schetterer wrote:> Am 08.12.2014 um 19:41 schrieb List: >> I have a Dovecot cluster which is on separate machines from my >> webmail/caldav/cardav cluster, and I currently have the system setup >> with ssl = required. Unfortunately the caldav/cardav server I am >> running doesn't support STARTTLS so I was wondering if there is a way to >> still enforce ssl for every connection with the exception of a certain >> subnet, or if there is a better way to accomplish this without install a >> local install of Dovecot on each of my caldav/cardav servers. > perhaps this helps > > http://wiki2.dovecot.org/SSL/DovecotConfiguration?highlight=%28trusted%29 > > > There are a couple of different ways to specify when SSL/TLS is required: > > disable_plaintext_auth=yes allows plaintext authentication only when > SSL/TLS is used first. > > ssl = required requires SSL/TLS also for non-plaintext authentication. > > If you have only plaintext mechanisms enabled (auth { mechanisms > plain login } ), you can use either (or both) of the above settings. > They behave exactly the same way then. > > Note that plaintext authentication is always allowed (and SSL not > required) for connections from localhost, as they're assumed to be > secure anyway. This applies to all connections where the local and the > remote IP addresses are equal. Also IP ranges specified by > login_trusted_networks setting are assumed to be secure.<<<< > > > > Best Regards > MfG Robert Schetterer >Essentially we would like to host IMAP with SSL enforced for any connections coming from anywhere except the subnet where our other mail servers reside. The idea is to not install a local instance of dovecot on the webmail/carddav/caldav servers to reduce the number of instances that need to be managed. Is it possible to have two imap listeners, where ssl is enforced on one port, and not on another?