Charles Marcus
2014-Jan-03 13:32 UTC
[Dovecot] Allow both SSL/993 and STARTTLS/143 connections (secure only)
Hi all,
Ok, up until now, I've only always allowed IMAPS connections to dovecot
on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I
walso want to make sure both ports are locked down to ONLY allow secure
connections.
So... is disable_plaintext_auth = yes in the main config enough to
accomplish this?
http://wiki2.dovecot.org/SSL/DovecotConfiguration says:
There are a couple of different ways to specify when SSL/TLS is required:
*
disable_plaintext_auth=yes allows plaintext authentication
<http://wiki2.dovecot.org/Authentication/Mechanisms> only when
SSL/TLS is used first.
*
ssl = required requires SSL/TLS also for non-plaintext
authentication <http://wiki2.dovecot.org/Authentication/Mechanisms>.
*
If you have only plaintext mechanisms enabled
(auth { mechanisms = plain login } ), you can use either (or both)
of the above settings. They behave exactly the same way then
and the comments in 10-auth.conf say:
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes
These seem to be saying that all I need to do is set either or both
(ssl-required and/or disable_plaintext_auth=yes).
I'm looking for the simplest, and don't like redundant/unnecessary
settings, so... which is the best/preferred way?
And what is the difference between ssl=required and
disable_plaintext_auth=yes?
Thanks,
--
Best regards,
*/Charles/***
Charles Marcus
2014-Jan-03 15:08 UTC
[Dovecot] Allow both SSL/993 and STARTTLS/143 connections (secure only)
On 2014-01-03 8:32 AM, Charles Marcus <CMarcus at Media-Brokers.com> wrote:> > Ok, up until now, I've only always allowed IMAPS connections to > dovecot on port 993. > > I want to also start allowing clients to user port143+STARTTLS, but I > walso want to make sure both ports are locked down to ONLY allow > secure connections.And I just had an idea, but don't know if it is possible. Can I offer one namespace on one port (ie, SSL/993), and a different namespace on the other port (STARTTLS/143)? This would be a simple and effective way to migrate users from one namespace to another... have them change both the port/security setting and the namespace prefix at the same time, then restart the client... boom. And this suggests it is possible: http://wiki2.dovecot.org/Namespaces The section name in namespaces (e.g. namespace sectionname { .. } is used only internally within configuration. It's not required at all, but it allows you to update an existing namespace (like how 15-mailboxes.conf does) or have userdb override namespace settings for specific users (namespace/sectionname/prefix=foo/). But the question is, how exactly to implement it, and I can't see from the docs exactly how to go about it. -- Best regards, */Charles/*