Durk Strooisma
2009-Jan-15 09:26 UTC
[Dovecot] Enforcing STARTTLS for all mechs while disabling imaps
Hi all, Is there a way to enforce STARTTLS for all connections, regardless their authentication mechanism? disable_plaintext_auth only takes care of the auth conversation, but I would like to have all communication encrypted. As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have the other way around; disabling imaps and using imap for all communication (with enforced STARTTLS). Am I missing something? Durk
Charles Marcus
2009-Jan-15 11:01 UTC
[Dovecot] Enforcing STARTTLS for all mechs while disabling imaps
On 1/15/2009, Durk Strooisma (durk at kern.nl) wrote:> As far as I can see, this would only be possible when using imaps and > disabling imap. However, I would like to have the other way around; > disabling imaps and using imap for all communication (with enforced > STARTTLS). > Am I missing something?Yes... an explanation for why you want/need to do this... If you just don't want to force users to change their MUA config, you could just disable imap, and redirect port 143 to 993 in your firewall/router... but the client will have to be configured to at least attempt STARTTLS... -- Best regards, Charles
Timo Sirainen
2009-Jan-15 15:55 UTC
[Dovecot] Enforcing STARTTLS for all mechs while disabling imaps
On Thu, 2009-01-15 at 10:26 +0100, Durk Strooisma wrote:> Hi all, > > Is there a way to enforce STARTTLS for all connections, regardless their > authentication mechanism? disable_plaintext_auth only takes care of the auth > conversation, but I would like to have all communication encrypted. > > As far as I can see, this would only be possible when using imaps and > disabling imap. However, I would like to have the other way around; > disabling imaps and using imap for all communication (with enforced > STARTTLS). > Am I missing something?Not possible currently. Hmm. I don't want to add a new setting for this, but some existing one could be updated/replaced.. Perhaps ssl_disable=required? Although that sounds weird. Maybe deprecate that setting and have ssl=yes/no/required. Anyway you could modify the sources pretty easily to do this. In src/imap-login/client-authenticate.c function cmd_authenticate() add before mech_name line something like: if (!client->common.secured && disable_plaintext_auth) { if (verbose_auth) { client_syslog(&client->common, "Login failed: " "STARTTLS not enabled"); } client->common.auth_attempts++; client_send_line(client, "* NO [ALERT] STARTTLS requires"); client_send_tagline(client, "NO STARTTLS required"); return 1; } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090115/f8839cbd/attachment-0002.bin>
Durk Strooisma
2009-Jan-15 16:10 UTC
[Dovecot] Enforcing STARTTLS for all mechs while disabling
Hi Timo,> Not possible currently.Okay.> Hmm. I don't want to add a new setting for this, but some existing one > could be updated/replaced.. Perhaps ssl_disable=required? Although that > sounds weird. Maybe deprecate that setting and have > ssl=yes/no/required.The setting "ssl" sounds fine. In case you're going to implement this feature, for which release would that be?> Anyway you could modify the sources pretty easily to do this. In > src/imap-login/client-authenticate.c function cmd_authenticate() add > before mech_name line something like: > > if (!client->common.secured && disable_plaintext_auth) { > if (verbose_auth) { > client_syslog(&client->common, "Login failed: " > "STARTTLS not enabled"); > } > client->common.auth_attempts++; > client_send_line(client, "* NO [ALERT] STARTTLS requires"); > client_send_tagline(client, "NO STARTTLS required"); > return 1; > }Thanks for the info! Durk
Reasonably Related Threads
- [checkpassword] I can't get a password from fd3
- Help needed with debugging auth command
- vpopmail, open_smtp_relay and non-PLAIN auth mechs
- [Bug 2982] New: gssapi_cleanup: supported mechs should be freed via gss_release_oid_set
- expire plugin with 1.2 cronjob undefined symbol: capability_string