I'm using Dovecot (1.0.10) locally to test SugarCRM. When I tried to set up a mail account in Sugar, it complains with -- SECURITY PROBLEM: insecure server advertised AUTH=PLAIN Please check your settings and try again. -- don't know if that behaviour is a bug or a feature of php-imap. The case is that I'm unable to set up the mail account in Sugar. Timo answered to me on IRC about Dovecot assuming that a connection from the same ip is considered secured. I'd rebuild Dovecot with the following patch: --- dovecot-1.0.10/src/pop3-login/client.c.orig 2008-01-05 00:44:14.000000000 -0500 +++ dovecot-1.0.10/src/pop3-login/client.c 2008-01-05 00:44:30.000000000 -0500 @@ -331,7 +331,7 @@ client->created = ioloop_time; client->refcount = 1; client->common.tls = ssl; - client->common.secured = ssl || net_ip_compare(ip, local_ip); + client->common.secured = ssl; client->common.local_ip = *local_ip; client->common.ip = *ip; --- but still not able to make it not accept AUTH PLAIN authentication from the same ip. I'm missing something? On the other hand, if I set disable_plaintext_auth to yes I cannot use the classic USER/PASS pop3 verbs. I'm not sure what the POP3 related RFCs mandates with respect to this. Regards, maykel
On Sat, 2008-01-05 at 01:39 -0500, Maykel Moya wrote:> I'm using Dovecot (1.0.10) locally to test SugarCRM. When I tried to set > up a mail account in Sugar, it complains with > > -- > SECURITY PROBLEM: insecure server advertised AUTH=PLAIN > Please check your settings and try again.It wants to connect with SSL/TLS.> Timo answered to me on IRC about Dovecot assuming that a connection from > the same ip is considered secured. > > I'd rebuild Dovecot with the following patch:..> but still not able to make it not accept AUTH PLAIN authentication from > the same ip. I'm missing something?That patch just disables the plaintext login completely. So it seems that you'd have to configure Sugar and Dovecot to use SSL/TLS.> On the other hand, if I set disable_plaintext_auth to yes I cannot use > the classic USER/PASS pop3 verbs. I'm not sure what the POP3 related > RFCs mandates with respect to this.If you want to disable plaintext auth only for IMAP, move the disable_plaintext_auth=yes setting inside protocol imap {}. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080111/2a8a751c/attachment-0002.bin>