dovecot - Jan 2009 - Enforcing STARTTLS for all mechs while disabling imaps

Hi all,

Is there a way to enforce STARTTLS for all connections, regardless their
authentication mechanism? disable_plaintext_auth only takes care of the auth
conversation, but I would like to have all communication encrypted.

As far as I can see, this would only be possible when using imaps and
disabling imap. However, I would like to have the other way around;
disabling imaps and using imap for all communication (with enforced
STARTTLS).
Am I missing something?

Durk

On 1/15/2009, Durk Strooisma (durk at kern.nl) wrote:
> As far as I can see, this would only be possible when using imaps and
> disabling imap. However, I would like to have the other way around;
> disabling imaps and using imap for all communication (with enforced
> STARTTLS).
> Am I missing something?
Yes... an explanation for why you want/need to do this...

If you just don't want to force users to change their MUA config, you
could just disable imap, and redirect port 143 to 993 in your
firewall/router... but the client will have to be configured to at least
attempt STARTTLS...

-- 

Best regards,

Charles

On Thu, 2009-01-15 at 10:26 +0100, Durk Strooisma wrote:
> Hi all,
> 
> Is there a way to enforce STARTTLS for all connections, regardless their
> authentication mechanism? disable_plaintext_auth only takes care of the
auth
> conversation, but I would like to have all communication encrypted.
> 
> As far as I can see, this would only be possible when using imaps and
> disabling imap. However, I would like to have the other way around;
> disabling imaps and using imap for all communication (with enforced
> STARTTLS).
> Am I missing something?
Not possible currently. 

Hmm. I don't want to add a new setting for this, but some existing one
could be updated/replaced.. Perhaps ssl_disable=required? Although that
sounds weird. Maybe deprecate that setting and have ssl=yes/no/required.

Anyway you could modify the sources pretty easily to do this. In
src/imap-login/client-authenticate.c function cmd_authenticate() add
before mech_name line something like:

	if (!client->common.secured && disable_plaintext_auth) {
		if (verbose_auth) {
			client_syslog(&client->common, "Login failed: "
				      "STARTTLS not enabled");
		}
		client->common.auth_attempts++;
		client_send_line(client, "* NO [ALERT] STARTTLS requires");
		client_send_tagline(client, "NO STARTTLS required");
		return 1;
	}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090115/f8839cbd/attachment-0002.bin>

Hi Timo,
> Not possible currently.
Okay.
> Hmm. I don't want to add a new setting for this, but some existing one
> could be updated/replaced.. Perhaps ssl_disable=required? Although that
> sounds weird. Maybe deprecate that setting and have
> ssl=yes/no/required.
The setting "ssl" sounds fine. In case you're going to implement
this
feature, for which release would that be?
> Anyway you could modify the sources pretty easily to do this. In
> src/imap-login/client-authenticate.c function cmd_authenticate() add
> before mech_name line something like:
>
> 	if (!client->common.secured && disable_plaintext_auth) {
> 		if (verbose_auth) {
> 			client_syslog(&client->common, "Login failed: "
> 				      "STARTTLS not enabled");
> 		}
> 		client->common.auth_attempts++;
> 		client_send_line(client, "* NO [ALERT] STARTTLS requires");
> 		client_send_tagline(client, "NO STARTTLS required");
> 		return 1;
> 	}
Thanks for the info!

Durk