Displaying 20 results from an estimated 1085 matches for "starttls".
2018 Sep 17
2
Using both starttls and ssl in passdb on proxy results in timeouts
Hi List,
I have a dovecot which proxies to different backends depending on an entry in a mysql-database. The mysql-query sets ?ssl? to ?any-cert? and this works fine. But this causes me a problem: sieve-backends only support STARTTLS and if I set ?ssl? to ?any-cert? (or yes), it will attempt a TLS-connection to the sieve-backends, which fails.
My attempt was to alter the query to include %{real_lport} and return ?ssl=no? and ?starttls=any-cert? if the port matches the sieve-port. It works as expected in that it returns the co...
2016 Jul 14
5
controlling STARTTLS by IP address
On my POP3 server, I need to be able to control the use of STARTTLS by
client IP address. Specifically:
* Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have
the option to use TLS. If the client tries to use STARTTLS, the option
should be rejected. This is to satisfy US FCC rules regarding the use of
encryption over certain radio frequencie...
2014 Dec 06
1
MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN
Am 6. Dezember 2014 13:10:58 MEZ, schrieb Reindl Harald <h.reindl at thelounge.net>:
>
>Am 06.12.2014 um 06:56 schrieb Jan Wide?:
>> If you add disable_plaintext_auth=yes ssl=required settings, then
>> dovecot will drop authentication without STARTTLS. But damage will be
>> done, client will send unencrypted (or in this scenario MD5 or SHA512
>> hash) login/password
>
>no, damage will *not* be done
>
>STARTTLS happens in context of connect and *log before* any
>authentication is tried the handshake between client/serv...
2014 Aug 18
2
IMAP on 993/SSL or 143/STARTTLS?
Hi,
I have a postfix+dovecot-2.2.13 system and have configured it to support
IMAPS on 993 with SSL/TLS. I'm noticing with users using Thunderbird, the
autodetect defaults to IMAPS on 143 with STARTTLS.
Which is preferred? Which is more secure? Which is more common?
Why would someone choose one over the other?
Can I ask the same question about SMTP and submission? Why would one choose
587 with STARTTLS versus 465 with SSL/TLS?
Thanks,
Alex
2018 Sep 18
0
Using both starttls and ssl in passdb on proxy results in timeouts
I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to ?no?. Interestingly, if I set ssl=NULL and don?t set starttls at all, it still tries an SSL connection to the backend.
Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and...
2009 Jan 15
3
Enforcing STARTTLS for all mechs while disabling imaps
Hi all,
Is there a way to enforce STARTTLS for all connections, regardless their
authentication mechanism? disable_plaintext_auth only takes care of the auth
conversation, but I would like to have all communication encrypted.
As far as I can see, this would only be possible when using imaps and
disabling imap. However, I would like to have...
2017 Nov 23
3
Dovecot LMTP Proxy + STARTTLS?
Hi
I got dovecot 2.2.26 on a Centos7 with latest updates. Dovecot is
configured to act as director and delivers to my two backend servers.
I enabled lmtp proxy on director to listen on port 24.
Now I see in msg headers that the connection to the lmtp proxy uses
STARTTLS but the connection from proxy to backend seems to be
unencrypted. Is it possible to enforce the use of STARTTLS in the
connection from the director to the backend as well?
Regards
tobi
2020 Feb 10
2
starttls for some services only
Hi,
I would like to disable offering starttls to clients for certain dovecot
services.
Background is that I want to do let a load balancer do the TLS stuff
right on connect time and let dovecot only do plain imap without
offering starttls (because the clients do imaps actually). Getting rid
of the starttls feature offering works only if I set...
2010 May 24
2
STARTTLS does not seem to work
I believe I have the configuration set to use START TLS on IMAP4 (143)
and POP3 (110) ports. ?However, it does not seem to be working. ?Yet
"STARTTLS" is listed as a capability (which tells me I probably do
have it configured right).
In the session below, 172.30.0.24 is the mail server I'm putting up.
64.26.60.229 is an outside mail service. A similar thing happens on
POP3. The always-SSL/TLS ports (993 and 995) are working. There...
2013 Sep 12
1
Problem getting a dovecot proxy to connect to another dovecot machine via STARTTLS
...ssion will just hang until dovecot reaches a timeout. It will
then disconnect me for inactivity. I can not find any information in the
logs.
To clarify, the dialog:
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN] Dovecot ready.
a login atest at company.nl test123
* BYE Disconnected for inactivity.
I have tried to use the following values in my proxy database:
ssl='any-cert', starttls='Y'
ssl='any-cert', starttls='any-cert'
ssl=NULL, starttls='any-cert'
H...
2007 Jan 11
2
STARTTLS: read error=generic SSL error (0)"
Hi All,
I am runnig sendmail 8.12.8. I am getting the below error.
[root at mail MailScanner]# tail -f /var/log/maillog
Jan 11 11:20:40 mail sendmail[10646]: STARTTLS: read error=generic SSL error
(0)
Jan 11 11:20:41 mail last message repeated 22494 times
Jan 11 11:20:41 mail sendmail[10646]: STARTTLS: read error=generic SSL error
(0)
Jan 11 11:20:41 mail last message repeated 8894 times
Jan 11 11:20:41 mail sendmail[10646]: STARTTLS: read error=generic SSL erro...
2004 Jan 06
3
SSL and STARTTLS
I wanted to enable SSL on some alternate ports so that a limited number
of people could try SSL access. But doing so enabled STARTTLS in
IMAP, so that all IMAP users got surprised (at least those whose
clients attempted to use it automatically).
e.g.:
# IP or host address where to listen in for SSL connections. Defaults
# to above non-SSL equilevants if not specified.
imaps_listen = *:xxxx
pop3s_listen = *:yyyy...
2014 Dec 06
3
MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN
...t;>
>> 1) MD5-CRYPT password scheme storage with CRAM-MD5 auth mechanism
>> 2) SHA512-CRYPT password scheme storage with PLAIN auth mechanism
>>
>> In my opinion the option 2) should be safer although it is using PLAIN auth
>> mechanism. Of course I would always use STARTTLS and not allow unencrypted
>> connection.
>
> Thats not exactly a true statement, if you offer STARTTLS you are
> optional on encryption, if you mean not allow unencrypted connections
> then you are forcing TLS, not STARTTLS since the latter is designed to
> accept unencrypted...
2019 Nov 06
2
Dovecot mangesieve proxy - internal failure
...ovecot.org> wrote:
>
>
> I need a more detailed hint. Dovecot proxy IMAP is running fine, but how
> to add to the same proxy managesieve support?
>
> I thougt it's activated in the proxy:
> protocols = imap sieve
>
> In the passdb proxy to the backends SSL or STARTTLS port successfully
> for IMAP. What exactly missing for managesieve?
>
> Thanks!
>
> On 11/6/19 3:52 PM, Sami Ketola via dovecot wrote:
> > Also those variables can't be returned from passdb as they are needed pre-auth.
> >
> > Sami
> >
> >
> >...
2017 Aug 21
6
pop 110/995, imap 143/993 ?
If I read this correctly, starttls will fail due to the MITM attack. That is the client knows security has been compromised. Using SSL/TLS, the MITM can use SSL stripping. Since most Postifx conf use "may" for security, the message would go though unencrypted. Correct???
Is there something to enable for perfect forward se...
2017 Aug 21
2
pop 110/995, imap 143/993 ?
Lest anyone think STARTTLS MITM doesn't happen,
https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/
Not only for security, I prefer port 993/995 as it's just plain simpler
to initiate SSL from the get-go rather than to do some handshaking that
gets you to the same point.
Jo...
2007 Jan 12
1
Entourage X and Sendmail STARTTLS on CentOS 4.4
I have a user who has Mac OS 10.4.8 with Entourage X. The email server
is sendmail 8.13.8 and is setup to use STARTTLS on a CentOS 4.4 system.
It appears from everything I have googled that only Entourage 2004 will
properly function with STARTTLS. Has anybody any experience with
Entourage X ... specifically is there something I am missing regarding
the CentOS server setup or are all Entourage prior to the 2004...
2017 Aug 20
4
pop 110/995, imap 143/993 ?
just setting a new Dovecot server to migrate from older system, but, I
have a general question:
1. I've set the server with self issued cert, and both pop/imap
StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming
terminology)
is there a 'preferred way'? should I tell users to use 143 over 993 ? or
993 over 143? or?
my current understanding is that some (MS?) clients might not support
StartTLS/143 ? so best to offer both ?
I think? some...
2008 Apr 30
1
Avelsieve 1.9.7 and Dovecot/TLS
Hi,
i'm installing a new mail server for our faculty and want to use
the squirrelmail plugin 'avelsieve' (1.9.7). As documented on the
dovecot wiki there is a problem in the STARTTLS code and i
found a solution (that works for my installation):
i've traced the server output in 'get_response' and instead of
a script list i saw "IMPLEMENTATION". So i took a look at
the file 'managesieve.lib.php' and the STARTTLS code:
/* If we allow STARTTLS, u...
2019 Nov 06
2
Dovecot mangesieve proxy - internal failure
If i change it to:
passdb {
args = /etc/dovecot-proxy/dovecot-ldap-passdb.conf.ext
default_fields = proxy=y host=server.intra.lan port=143 starttls=yes
master=proxy pass=#hidden_use-P_to_show#
driver = ldap
}
I still got the same error for mangesieve. IMAP login works with both
SSL/STARTTLS.
On 11/6/19 3:19 PM, Aki Tuomi via dovecot wrote:
>
>> On 06/11/2019 16:15 telsch via dovecot <dovecot at dovecot.org> wrote:
>>...