Hello all, I've happily been using Dovecot for a couple of years now, but only a couple of days ago I configured it to speak both TLS and SSL for both POP3 and IMAP. Ideally I want users to use TLS, but I've enabled SSL, because some mailers (at least Apple Mail on OS X Tiger) don't support TLS. Right now I'm in sort of a transitional phase, where I'm asking users to enable TLS in their email clients, if not enabled already. After a couple of weeks/months I want to disable any (non-local) connections that don't use TLS or SSL. I already asked on IRC whether this was possible, because I was unable to find this on the Wiki. It turns out there is a configuration switch called `disable_plaintext_auth', but looking at the description this only prevents people from using plain-text username/password authentication. It does not actually enforce TLS or SSL. My question: is there support to enforce TLS when people connect to non-SSL ports? If someone comes up with a solution, I'll add it to the SSL article on the Wiki. I'm using Dovecot 1.1.7, installed on a FreeBSD 6.4-STABLE system. Thanks! -- Ed Schouten <ed at 80386.nl> WWW: http://80386.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090106/eb0751e1/attachment-0002.bin>
On Tue, 2009-01-06 at 14:59 +0100, Ed Schouten wrote:> I've happily been using Dovecot for a couple of years now, but only a > couple of days ago I configured it to speak both TLS and SSL for both > POP3 and IMAP. Ideally I want users to use TLS, but I've enabled SSL, > because some mailers (at least Apple Mail on OS X Tiger) don't support > TLS.BTW. Your TLS/SSL term usage isn't correct. http://wiki.dovecot.org/SSL> I already asked on IRC whether this was possible, because I was unable > to find this on the Wiki. It turns out there is a configuration switch > called `disable_plaintext_auth', but looking at the description this > only prevents people from using plain-text username/password > authentication. It does not actually enforce TLS or SSL. > > My question: is there support to enforce TLS when people connect to > non-SSL ports? If someone comes up with a solution, I'll add it to the > SSL article on the Wiki.Have you enabled non-plaintext authentication? If not, then disable_plaintext_auth practically does what you want, because you can't authenticate without SSL/TLS. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090106/23e7ac13/attachment-0002.bin>
On 2009-01-06, Timo Sirainen <tss at iki.fi> wrote:> >> I already asked on IRC whether this was possible, because I was unable >> to find this on the Wiki. It turns out there is a configuration switch >> called `disable_plaintext_auth', but looking at the description this >> only prevents people from using plain-text username/password >> authentication. It does not actually enforce TLS or SSL. >>=20 >> My question: is there support to enforce TLS when people connect to >> non-SSL ports? If someone comes up with a solution, I'll add it to the >> SSL article on the Wiki. > > Have you enabled non-plaintext authentication? If not, then > disable_plaintext_auth practically does what you want, because you can't > authenticate without SSL/TLS.We have the opposite requirement... Is it possible to enable SSL on the POPS/IMAPS-port, without also enabling STARTTLS on the POP/IMAP ports? We're hosting many mail domains on the same ip-addresses, and offer mail.$partnername.com as pop/imap server. Now we'd like to also offer a single name for POPS/IMAPS with a non-per-partner-branded name mail.securedomain.com on the same set of servers as the non SSL-version of dovecot is running. This is mostly to avoid needing lots of SSL certificates. We're afraid that if we enable STARTTLS, many of our existing clients will automatically try using SSL towards the wrong name, and get ugly SSL warnings about certifcate mismatch. -jf
On T 6 Jan, 2009, at 14:59 , Ed Schouten wrote:> My question: is there support to enforce TLS when people connect to > non-SSL ports? If someone comes up with a solution, I'll add it to the > SSL article on the Wiki. > > I'm using Dovecot 1.1.7, installed on a FreeBSD 6.4-STABLE system.not sure I understand the question correctly, if I do then the answer would be you cannot. If the client wants to speak plain it will. I do not see why you would want to keep on listening on port 143 if you want to enforce SSL, but if you really want to: protocol imap { listen = 127.0.0.1:143 ssl_listen = *:993 <interface-ip>:143 } You can of course drop <interface-ip>:143. Giuliano