Hi, I am trying to find a nice way to identify dovecot clients that are still configured to use port 143 to connect to our mailserver, from the dovecot logs. I would then ask them to move over to 993, and finally disable port 143 altogether. When looking at the dovecot logs, it seems this is not logged in any obvious way. Of course I could use netflow etc, but that would not give us usernames, but IP's, etc. So, is there a nice way to somehow indicate in the dovecot logs, if a client connected on 143 or on 993? Thanks!
> On 25/05/2020 21:48 mj <lists at merit.unu.edu> wrote: > > > Hi, > > I am trying to find a nice way to identify dovecot clients that are > still configured to use port 143 to connect to our mailserver, from the > dovecot logs. > I would then ask them to move over to 993, and finally disable port 143 > altogether. > > When looking at the dovecot logs, it seems this is not logged in any > obvious way. > > Of course I could use netflow etc, but that would not give us usernames, > but IP's, etc. > > So, is there a nice way to somehow indicate in the dovecot logs, if a > client connected on 143 or on 993? > > Thanks!You could use https://doc.dovecot.org/settings/core/#login-log-format-elements to log this. Aki
On 25/05/2020 20:52, Aki Tuomi wrote:> > You could use > > https://doc.dovecot.org/settings/core/#login-log-format-elements > > to log this. >Yes! Perfect! Thanks! :-)
On 26 May 2020 4:48:51 AM AEST, mj <lists at merit.unu.edu> wrote:>I would then ask them to move over to 993, and finally disable port 143 >altogether. >jumping here with a question, if I use 143 with STARTTLS, and, force TLS/SSL in configuration, that's equivalent from security POV, isn't it? and, same for 110 STARTTLS? Or am I missing something? thanks, V -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hi, On 25/05/2020 23:04, Voytek wrote:> jumping here with a question, if I use 143 with STARTTLS, and, force > TLS/SSL in configuration, that's equivalent from security POV, isn't > it? and, same for 110 STARTTLS? Or am I missing something?Interesting point, after some googling, I think you are right, and as long as we have set "disable_plaintext_auth = yes" (and we have that) we should be fine keeping 143 open. Right? One doubt I had: "disable_plaintext_auth = yes" sounds as if only the authentication part is secured, and the rest is kept plain text, whereas with 993/SSL, *everything* would be encrypted? Or am I missing something? (then perhaps someone can point it out?) Thanks, MJ
On 25 May 2020, at 12:48, mj <lists at merit.unu.edu> wrote:> I would then ask them to move over to 993, and finally disable port 143 altogether.From personal experience the only way to do this is to stop listening to port 143. I dropped support for non-encrypted mail ports ages ago, and I didn't get a single user to switch from 143 to 993 until I disabled 143. Send an email to your users "You must make this change bu (date+2 days)" and then drop port 143 in 2 days as promised. If you have a web server, but a large red box on it "Can't login?" With a link to the email you sent. (And do not allow users to send mail un-encrypted either, force them to use 587 or 465 by not accepting user mail on port 25). -- This is Art holding a Mirror up to Life. That's why everything is exactly the wrong way around. --Wyrd Sisters