dovecot - May 2006 - Encrypted IMAP only from Internet, unencrypted POP3 from internal network

Hi,

we have following situation: I migrated our company mailserver from POP3 
only to dovecot with IMAP and POP. We need to have unencrypted POP3 
from our internal network, and the subnet our mailserver is in.

Additionally, we now want to allow encrypted IMAP from the internet (for 
some defined accounts), preferably with TLS (which means I open Port 
143 in our firewall).

Now, how can I achieve that they can't use unencrypted plaintext 
authentication from Internet, while I allow unencrypted POP3 from the 
mailserver and private network? (I can require using encryption for 
IMAP from our internal net, but I must have unencrypted POP3 as we use 
software that retrieves mail via POP3 that doesn't support encryption).

My idea was:
- use disable_plaintext_auth for IMAP only
- use disable_plaintext_auth for internet, but not our networks
- allow connection from the internet only for certain accounts, and 
limit them to use encryption

Internet access for POP3 is not necessary.
Is any of this possible with dovecot? Or another way to achieve my goal? 
Non-plaintext authentication is not possible, as we use linux system 
accounts with shadow passwords.

TIA
Rainer Frey

-- 
Software Development

------------------------------------------------------
Inxmail GmbH

On Mon, 2006-05-08 at 02:51, Rainer Frey wrote:
> Additionally, we now want to allow encrypted IMAP from the internet (for 
> some defined accounts), preferably with TLS (which means I open Port 
> 143 in our firewall).
Keep in mind that you can't keep the users from sending plain
text passwords.  All you can do on the server side is make it
not work when they do - but that doesn't mean they'll stop
doing it.  You might be better off using imaps on port 993.
Also, I've found encrypted pop to be handy for some devices
that don't do imap (like my sprint treo phone).

-- 
  Les Mikesell
   lesmikesell at gmail.com

On Mon, 2006-05-08 at 09:51 +0200, Rainer Frey wrote:
> My idea was:
> - use disable_plaintext_auth for IMAP only
> - use disable_plaintext_auth for internet, but not our networks
> - allow connection from the internet only for certain accounts, and 
> limit them to use encryption
> 
> Internet access for POP3 is not necessary.
Well, Dovecot can't give different settings based on where the
connection comes from (although this is planned for v2.0). For now the
best you could do is:

protocol imap {
  disable_plaintext_auth = yes
}
protocol pop3 {
  disable_plaintext_auth = no
}

At least I think that works.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060508/b14d223e/attachment.bin>