Hello Timo, is there a way, either in 1.2.x or in 2.x to activate disable_plaintext_auth=yes only for some address or network ? The idea would be to enable clients from the internal networks to keep making clear text connections while forbidding it to the rest of the world. Thanks. -- Thomas Hummel | Institut Pasteur <hummel at pasteur.fr> | P?le informatique - syst?mes et r?seau
On 05/07/2010 02:00 PM Thomas Hummel wrote:> Hello Timo, > > is there a way, either in 1.2.x or in 2.x to activate > > disable_plaintext_auth=yes > > only for some address or network ? > > The idea would be to enable clients from the internal networks to keep making > clear text connections while forbidding it to the rest of the world. > > Thanks.By default "disable_plaintext_auth = yes" is set, in all Dovecot versions. With Dovecot v2.0 you can put something like the following in your dovecot.conf: remote 192.168.111.0/24 { disable_plaintext_auth = no } remote fdfd:ffff:dddd::0/48 { disable_plaintext_auth = no } Testing the settings: ~ # doveconf disable_plaintext_auth disable_plaintext_auth = yes ~ # doveconf -f rip=192.168.0.1 disable_plaintext_auth disable_plaintext_auth = yes ~ # doveconf -f rip=fdfd:ffff:dddd::abcd disable_plaintext_auth disable_plaintext_auth = no ~ # doveconf -f rip=192.168.111.234 disable_plaintext_auth disable_plaintext_auth = no The dovecot.conf for v2.0 contains also: # Space separated list of trusted network ranges. Connections from these # IPs are allowed to override their IP addresses and ports (for logging and # for authentication checks). disable_plaintext_auth is also ignored for # these networks. Typically you'd specify your IMAP proxy servers here. #login_trusted_networks Regards, Pascal -- The trapper recommends today: 5e1f1e55.1012716 at localdomain.org
On Fri, May 7, 2010 at 10:26, Pascal Volk < user+dovecot at localhost.localdomain.org<user%2Bdovecot at localhost.localdomain.org>> wrote:> > By default "disable_plaintext_auth = yes" is set, in all Dovecot > versions. > With Dovecot v2.0 you can put something like the following in your > dovecot.conf: > > remote 192.168.111.0/24 { > disable_plaintext_auth = no > } > remote fdfd:ffff:dddd::0/48 { > disable_plaintext_auth = no > } >Do these "remote sections" need to be in a specific place in the config file, or can they just be put where the (global) disable_plaintext_auth is located? Do you know if the remote address gets passed from Postfix on to Dovecot through the authentication connection (when Dovecot is doing the authentication for Postfix mail submission) so that these same remote rules apply?
On Fri, May 07, 2010 at 04:26:47PM +0200, Pascal Volk wrote:> With Dovecot v2.0 you can put something like the following in your > dovecot.conf: > > remote 192.168.111.0/24 { > disable_plaintext_auth = no > } > remote fdfd:ffff:dddd::0/48 { > disable_plaintext_auth = no > }Thanks. I have to look further in what is allowed to go into those sections. But in the case of disabling/enabling STARTTLS, this is indeed what I need. -- Thomas Hummel | Institut Pasteur <hummel at pasteur.fr> | P?le informatique - syst?mes et r?seau
On 05/07/2010 04:36 PM Thomas Hummel wrote:> On Fri, May 07, 2010 at 04:26:47PM +0200, Pascal Volk wrote: > >> remote 192.168.111.0/24 { >> disable_plaintext_auth = no >> } >> remote fdfd:ffff:dddd::0/48 { >> disable_plaintext_auth = no >> } > > Thanks. I have to look further in what is allowed to go into those sections. > But in the case of disabling/enabling STARTTLS, this is indeed what I need.remote 192.168.111.0/24 { disable_plaintext_auth = no ssl = no } ~ # doveconf -f rip=192.168.111.234 ssl ssl = no ~ # doveconf ssl ssl = yes Regards, Pascal -- The trapper recommends today: 5e1f1e55.1012716 at localdomain.org