CentOS - May 2016 - [MASSMAIL] Dovecot on C7.2 - secure internet access

I have a mail server running on Centos 7.2 which has been working for my LAN 
for a long time.

I'm at the point where I have to make it accessible to the internet.  At the
moment, access can be insecure but as it's on my LAN it isn't an issue.

However, for internet access I wish to force SSL/TLS.  Having read the 
documents I think it's as simple as changing 10-ssl.conf from

ssl = yes

to

ssl = required
remote 10.0.0.0/8 {
  ssl = yes
}

Am I right in thinking that this would make the global value now force SSL/TLS 
to be required, but for my LAN (10.0.0.0/8) override this with the old value 
of 'yes'

Is there a better way to do this?
Have I missed anything?
I believe that this means implies 

disable_plaintext_auth = no

for all except my LAN. Is that right?

I've tried the changes that I put below. Users are still able to log in from
the LAN.

However, despite putting the appropriate rule in my firewall allowing port 143  
I cannot create a user on a PC outside my network.

I'm using Thunderbird to do the testing.  Is there a better way to test my 
setup?  Thunderbird doesn't give any diagnostic data, it just says it's 
failed to test the account.


On Thursday 05 May 2016 11:03:34 Gary Stainburn wrote:
> I have a mail server running on Centos 7.2 which has been working for my
> LAN for a long time.
>
> I'm at the point where I have to make it accessible to the internet. 
At
> the moment, access can be insecure but as it's on my LAN it isn't
an issue.
>
> However, for internet access I wish to force SSL/TLS.  Having read the
> documents I think it's as simple as changing 10-ssl.conf from
>
> ssl = yes
>
> to
>
> ssl = required
> remote 10.0.0.0/8 {
>   ssl = yes
> }
>
> Am I right in thinking that this would make the global value now force
> SSL/TLS to be required, but for my LAN (10.0.0.0/8) override this with the
> old value of 'yes'
>
> Is there a better way to do this?
> Have I missed anything?
> I believe that this means implies
>
> disable_plaintext_auth = no
>
> for all except my LAN. Is that right?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk

Am 05.05.2016 um 16:18 schrieb Gary Stainburn:
> I've tried the changes that I put below. Users are still able to log in
from
> the LAN.
>
> However, despite putting the appropriate rule in my firewall allowing port
143
> I cannot create a user on a PC outside my network.
>
> I'm using Thunderbird to do the testing.  Is there a better way to test
my
> setup?  Thunderbird doesn't give any diagnostic data, it just says
it's
> failed to test the account.
Connect with:

openssl s_client -connect <your server IP address>:143 -starttls imap

Then issue IMAP commands:

01 CAPABILITY
02 LOGIN user password
03 LOGOUT

That should be successful and you should have seen the configured AUTH 
mechanisms. Now try without transport layer security:

telnet <your server IP address> 143

01 LOGIN user password

That should be forbidden because of LOGINDISABLED.

Regards

Alexander