Hi, I would like to disable offering starttls to clients for certain dovecot services. Background is that I want to do let a load balancer do the TLS stuff right on connect time and let dovecot only do plain imap without offering starttls (because the clients do imaps actually). Getting rid of the starttls feature offering works only if I set ssl = no globally only. Setting it in the service imap-login section seems to be impossible. If I set it globally to no though, I cannot use it in other services where it is needed like in the manage-sieve, where clients unfortunately only support starttls and no tls on connect. Is there any way to configure dovecot to offer starttls for some services and for some not or is this just not supported currently? Thanks Bj?rn
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
Try setting
</div>
<div>
<br>
</div>
<div>
login_trusted_networks = lb-ip/32
</div>
<div>
<br>
</div>
<div>
See
<a
href="https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks">https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks</a>
<br>
</div>
<div>
<br>
</div>
<div>
Aki
</div>
<blockquote type="cite">
<div>
On 10/02/2020 15:38 Bjoern Jacke <
<a
href="mailto:lists2020@j3e.de">lists2020@j3e.de</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
Hi,
</div>
<div>
<br>
</div>
<div>
I would like to disable offering starttls to clients for certain dovecot
</div>
<div>
services.
</div>
<div>
<br>
</div>
<div>
Background is that I want to do let a load balancer do the TLS stuff
</div>
<div>
right on connect time and let dovecot only do plain imap without
</div>
<div>
offering starttls (because the clients do imaps actually). Getting rid
</div>
<div>
of the starttls feature offering works only if I set ssl = no globally
</div>
<div>
only. Setting it in the service imap-login section seems to be
</div>
<div>
impossible. If I set it globally to no though, I cannot use it in other
</div>
<div>
services where it is needed like in the manage-sieve, where clients
</div>
<div>
unfortunately only support starttls and no tls on connect.
</div>
<div>
<br>
</div>
<div>
Is there any way to configure dovecot to offer starttls for some
</div>
<div>
services and for some not or is this just not supported currently?
</div>
<div>
<br>
</div>
<div>
Thanks
</div>
<div>
Björn
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
Hi Aki, On 10.02.20 17:03, Aki Tuomi wrote:> Try setting > > login_trusted_networks = lb-ip/32 > > See? > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networksI do have login-trusted_networks set already. Along with the proxy protocol (haproxy_trusted_networks = lb-ip) I had to set login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol tells dovecot the real clients' IP address and that IP adders is the one actually evaluated for login_trusted_networks. With the plain authentication being done inside the load balancer's TLS connection this is more or less obvious that this is needed in that case. But those settings don't change the pity: ssl=no is globally required to make the starttls options disappear for imap-login - but with ssl=no globally I don't see a possibility to enable the starttls option for other services like managesieve for example. Thanks Bj?rn