Op 13/01/2019 om 00:22 schreef Dominik Menke:>> For reference: if you put ssl=yes there, the TLS layer is established
>> immediately. However, the standard ManageSieve protocol does not
>> support that (not currently anyway): only the establishment of the
>> TLS layer using the STARTTLS command is part of the standard. That is
>> why your clients fail to connect: they're speaking plaintext while
>> the server is speaking TLS. Still, Dovecot supports configuring it
>> that way, which is what you did.
>>
>> Regards,
>>
>> Stephan.
>>
>>
>
>
> I'm just surprised that ssl=yes leads to STARTTLS being disabled, as
> per the wiki [1]:
With ssl=yes, the TLS layer is enabled immediately on the connection.
So, there is no need to perform STARTTLS. But worse, a client that
doesn't work this way will try to send "STARTTLS" in plaintext to
a
service talking TLS already. This will obviously not work.
Regards,
Stephan.
>
>
> > ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the
> > client, but the client isn't required to use it. [...]
> >
> > ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the
> > client, but the client isn't required to use it. [...]
> >
> > ssl=required: SSL/TLS is always required [...]. Any attempt to
> > authenticate before SSL/TLS is enabled will cause an authentication
> > failure.
>
>
> Maybe this bit needs to be clarified a bit? I think I've read that
> page a few times and it still didn't occur to me that this could be a
> problem.
>
> Best regards,
> --Dominik
>
>
> [1]: https://wiki.dovecot.org/SSL/DovecotConfiguration