Darren Pilgrim
2013-Mar-17 23:22 UTC
[Dovecot] Dovecot not obeying disable_plaintext_auth = yes and how to force/disable encryption
I'm using Dovecot 2.1.15. I need to require encryption and only secure
auth on public addresses, but allow plaintext auth over an unencrypted
connection on localhost.
I have so far (excerpts from `doveconf -a`):
auth_mechanisms = cram-md5 plain
disable_plaintext_auth = yes
listen service imap-login {
inet_listener imap-local {
address = ::1
port = 143
ssl = no
}
inet_listener imap-pub {
address = 2001:db8::1
port = 993
ssl = yes
}
}
service managesieve-login {
inet_listener sieve-local {
address = ::1
port = 4190
ssl = no
}
inet_listener sieve-pub {
address = 2001:db8::1
port = 4190
ssl = no
}
}
The ssl option only seems to switch the inet_listener between using a
secure socket and using STARTTLS. How do I tell a given inet_listener
to do neither? How do I tell a given inet_listener to require STARTTLS
before allowing AUTH/SASL?
I would prefer to offer only CRAM-MD5 on the UGA/public ports, and only
PLAIN or at least also PLAIN on localhost. I tried adding
auth_mechanisms lines to each inet_listener block, but got parse errors.
How do I do this?
Dovecot seems to ignore disable_plaintext_auth = yes:
# telnet 2001:db8::1 4190
Trying 2001:db8::1...
Connected to host.example.com.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation
subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" "CRAM-MD5 PLAIN"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."
--
Please reply on list.
Darren Pilgrim
2013-Mar-18 01:24 UTC
[Dovecot] [solved] Dovecot not obeying disable_plaintext_auth = yes and how to force/disable encryption
I figured this out. I was testing Dovecot from the machine running Dovecot. I didn't know that when the client address is a local address (even if it's a public one), that Dovecot treats the connection as if it was localhost. I also did not know that Dovecot automatically ignores ssl = required and disable_plaintext_auth = yes for localhost connections. As this renders pretty much my entire email moot, we can call this one solved. :) -- Please reply on list.