dovecot - Mar 2009 - tls and auth plain login

Hello List,


I want to allow plain text passwords only on ssl/tls.

Is it possible to have:
auth default {
     mechanisms = cram-md5 ntlm
......
}

and then over-ride this when connection is ssl/tls to allow plain and  
login?

I have tried adding "mechanisms = plain login cram-md5 ntlm" to  
"protocol imaps{}" as an example but I get an error that the protocol
does not exist.

I read somewhere today that dovecot enables plain automatically over  
secure connections (ssl/tls) but I'm not seeing it.

Also, "auth default" suggests that "auth something_else" is
possible.
I'm probably just doing a poor job of research but I'm not finding the  
answers I'm seeking.


Using postfix and lda.

# openssl s_client -connect localhost:993
# a01 capability
* CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND  
UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST- 
EXTENDED I18NLEVEL=1 AUTH=CRAM-MD5 AUTH=NTLM
a01 OK Capability completed.


Note about below, fd limit is increased management script.
# dovecot -n
# 1.1.3: /opt/local/etc/dovecot/dovecot.conf
Warning: fd limit 256 is lower than what Dovecot can use under full  
load (more than 768). Either grow the limit or change  
login_max_processes_count and max_mail_processes settings
log_path: /opt/local/var/ispbox/log/mail/dovecot.log
protocols: imap imaps pop3 pop3s
ssl_cert_file: /opt/local/etc/ssl/certs/dovecot.pem
ssl_key_file: /opt/local/etc/ssl/private/dovecot.pem
login_dir: /opt/local/var/run/dovecot/login
login_executable(default): /opt/local/libexec/dovecot/imap-login
login_executable(imap): /opt/local/libexec/dovecot/imap-login
login_executable(pop3): /opt/local/libexec/dovecot/pop3-login
mail_location: dbox:/opt/local/var/ispbox/mail/%d/%n/dbox
mail_executable(default): /opt/local/libexec/dovecot/imap
mail_executable(imap): /opt/local/libexec/dovecot/imap
mail_executable(pop3): /opt/local/libexec/dovecot/pop3
mail_plugin_dir(default): /opt/local/lib/dovecot/imap
mail_plugin_dir(imap): /opt/local/lib/dovecot/imap
mail_plugin_dir(pop3): /opt/local/lib/dovecot/pop3
auth default:
   mechanisms: cram-md5 ntlm
   passdb:
     driver: sql
     args: /opt/local/etc/dovecot/dovecot_mysql.conf
   userdb:
     driver: prefetch
   userdb:
     driver: sql
     args: /opt/local/etc/dovecot/dovecot_mysql.conf
   socket:
     type: listen
     client:
       path: /opt/local/var/spool/postfix/private/auth
       mode: 432
       user: _postfix
       group: _postfix
     master:
       path: /opt/local/var/run/dovecot/auth-master
       mode: 384
       user: _vmail


Thanks for any tips,
//Bradley

On Tue, 2009-03-03 at 10:48 -0800, Bradley Giesbrecht
wrote:
> I want to allow plain text passwords only on ssl/tls.
The default settings do that.
> Is it possible to have:
> auth default {
>      mechanisms = cram-md5 ntlm
mechanisms = plain cram-md5 ntlm

And then verify that you have disable_plaintext_auth=yes, which is also
the default.

When testing make sure you don't test it from local server, because
Dovecot treats local IPs as trusted.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090303/2c095ffd/attachment-0002.bin>

On Mar 3, 2009, at 2:37 PM, Timo Sirainen wrote:
> On Tue, 2009-03-03 at 10:48 -0800, Bradley Giesbrecht wrote:
>> I want to allow plain text passwords only on ssl/tls.
>
> The default settings do that.
>
>> Is it possible to have:
>> auth default {
>>     mechanisms = cram-md5 ntlm
>
> mechanisms = plain cram-md5 ntlm
>
> And then verify that you have disable_plaintext_auth=yes, which is  
> also
> the default.
Thank you Timo.

I had removed disable_plaintext_auth from my conf because with it in  
place it failed to show up in "dovecot -n".
I figured I had it in the wrong place.

Should disable_plaintext_auth show in "dovecot -n"?
> When testing make sure you don't test it from local server, because
> Dovecot treats local IPs as trusted.
I'll make sure I test from remotes going forward. Thanks.


A  couple of us are working on a macports project for dovecot,  
postfix, mysql, bind9 dlz etc... virtual everything.....

If we are successful in producing something of value I'll send you a  
link to the port. Maybe you would want to add it to some part of your  
wiki.

Also, the way we are building should easily move to bsd's and linux  
distros. I know there are a bunch of these types of things out there  
but I didn't find one that was what I was looking for.

//Brad