search for: starttls

Hi List, I have a dovecot which proxies to different backends depending on an entry in a mysql-database. The mysql-query sets ?ssl? to ?any-cert? and this works fine. But this causes me a problem: sieve-backends only support STARTTLS and if I set ?ssl? to ?any-cert? (or yes), it will attempt a TLS-connection to the sieve-backends, which fails. My attempt was to alter the query to include %{real_lport} and return ?ssl=no? and ?starttls=any-cert? if the port matches the sieve-port. It works as expected in that it returns the co...

On my POP3 server, I need to be able to control the use of STARTTLS by client IP address. Specifically: * Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have the option to use TLS. If the client tries to use STARTTLS, the option should be rejected. This is to satisfy US FCC rules regarding the use of encryption over certain radio frequencie...

Am 6. Dezember 2014 13:10:58 MEZ, schrieb Reindl Harald <h.reindl at thelounge.net>: > >Am 06.12.2014 um 06:56 schrieb Jan Wide?: >> If you add disable_plaintext_auth=yes ssl=required settings, then >> dovecot will drop authentication without STARTTLS. But damage will be >> done, client will send unencrypted (or in this scenario MD5 or SHA512 >> hash) login/password > >no, damage will *not* be done > >STARTTLS happens in context of connect and *log before* any >authentication is tried the handshake between client/serv...

Hi, I have a postfix+dovecot-2.2.13 system and have configured it to support IMAPS on 993 with SSL/TLS. I'm noticing with users using Thunderbird, the autodetect defaults to IMAPS on 143 with STARTTLS. Which is preferred? Which is more secure? Which is more common? Why would someone choose one over the other? Can I ask the same question about SMTP and submission? Why would one choose 587 with STARTTLS versus 465 with SSL/TLS? Thanks, Alex

I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to ?no?. Interestingly, if I set ssl=NULL and don?t set starttls at all, it still tries an SSL connection to the backend. Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and...

Hi all, Is there a way to enforce STARTTLS for all connections, regardless their authentication mechanism? disable_plaintext_auth only takes care of the auth conversation, but I would like to have all communication encrypted. As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have...

Hi I got dovecot 2.2.26 on a Centos7 with latest updates. Dovecot is configured to act as director and delivers to my two backend servers. I enabled lmtp proxy on director to listen on port 24. Now I see in msg headers that the connection to the lmtp proxy uses STARTTLS but the connection from proxy to backend seems to be unencrypted. Is it possible to enforce the use of STARTTLS in the connection from the director to the backend as well? Regards tobi

Hi, I would like to disable offering starttls to clients for certain dovecot services. Background is that I want to do let a load balancer do the TLS stuff right on connect time and let dovecot only do plain imap without offering starttls (because the clients do imaps actually). Getting rid of the starttls feature offering works only if I set...

I believe I have the configuration set to use START TLS on IMAP4 (143) and POP3 (110) ports. ?However, it does not seem to be working. ?Yet "STARTTLS" is listed as a capability (which tells me I probably do have it configured right). In the session below, 172.30.0.24 is the mail server I'm putting up. 64.26.60.229 is an outside mail service. A similar thing happens on POP3. The always-SSL/TLS ports (993 and 995) are working. There...

...ssion will just hang until dovecot reaches a timeout. It will then disconnect me for inactivity. I can not find any information in the logs. To clarify, the dialog: Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. a login atest at company.nl test123 * BYE Disconnected for inactivity. I have tried to use the following values in my proxy database: ssl='any-cert', starttls='Y' ssl='any-cert', starttls='any-cert' ssl=NULL, starttls='any-cert' H...

Hi All, I am runnig sendmail 8.12.8. I am getting the below error. [root at mail MailScanner]# tail -f /var/log/maillog Jan 11 11:20:40 mail sendmail[10646]: STARTTLS: read error=generic SSL error (0) Jan 11 11:20:41 mail last message repeated 22494 times Jan 11 11:20:41 mail sendmail[10646]: STARTTLS: read error=generic SSL error (0) Jan 11 11:20:41 mail last message repeated 8894 times Jan 11 11:20:41 mail sendmail[10646]: STARTTLS: read error=generic SSL erro...

I wanted to enable SSL on some alternate ports so that a limited number of people could try SSL access. But doing so enabled STARTTLS in IMAP, so that all IMAP users got surprised (at least those whose clients attempted to use it automatically). e.g.: # IP or host address where to listen in for SSL connections. Defaults # to above non-SSL equilevants if not specified. imaps_listen = *:xxxx pop3s_listen = *:yyyy...

...t;> >> 1) MD5-CRYPT password scheme storage with CRAM-MD5 auth mechanism >> 2) SHA512-CRYPT password scheme storage with PLAIN auth mechanism >> >> In my opinion the option 2) should be safer although it is using PLAIN auth >> mechanism. Of course I would always use STARTTLS and not allow unencrypted >> connection. > > Thats not exactly a true statement, if you offer STARTTLS you are > optional on encryption, if you mean not allow unencrypted connections > then you are forcing TLS, not STARTTLS since the latter is designed to > accept unencrypted...

...ovecot.org> wrote: > > > I need a more detailed hint. Dovecot proxy IMAP is running fine, but how > to add to the same proxy managesieve support? > > I thougt it's activated in the proxy: > protocols = imap sieve > > In the passdb proxy to the backends SSL or STARTTLS port successfully > for IMAP. What exactly missing for managesieve? > > Thanks! > > On 11/6/19 3:52 PM, Sami Ketola via dovecot wrote: > > Also those variables can't be returned from passdb as they are needed pre-auth. > > > > Sami > > > > > &gt...

If I read this correctly, starttls will fail due to the MITM attack. That is the client knows security has been compromised. Using SSL/TLS, the MITM can use SSL stripping. Since most Postifx conf use "may" for security, the message would go though unencrypted. Correct??? Is there something to enable for perfect forward se...

Lest anyone think STARTTLS MITM doesn't happen, https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ Not only for security, I prefer port 993/995 as it's just plain simpler to initiate SSL from the get-go rather than to do some handshaking that gets you to the same point. Jo...

I have a user who has Mac OS 10.4.8 with Entourage X. The email server is sendmail 8.13.8 and is setup to use STARTTLS on a CentOS 4.4 system. It appears from everything I have googled that only Entourage 2004 will properly function with STARTTLS. Has anybody any experience with Entourage X ... specifically is there something I am missing regarding the CentOS server setup or are all Entourage prior to the 2004...

just setting a new Dovecot server to migrate from older system, but, I have a general question: 1. I've set the server with self issued cert, and both pop/imap StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming terminology) is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? my current understanding is that some (MS?) clients might not support StartTLS/143 ? so best to offer both ? I think? some...

Hi, i'm installing a new mail server for our faculty and want to use the squirrelmail plugin 'avelsieve' (1.9.7). As documented on the dovecot wiki there is a problem in the STARTTLS code and i found a solution (that works for my installation): i've traced the server output in 'get_response' and instead of a script list i saw "IMPLEMENTATION". So i took a look at the file 'managesieve.lib.php' and the STARTTLS code: /* If we allow STARTTLS, u...

If i change it to: passdb { args = /etc/dovecot-proxy/dovecot-ldap-passdb.conf.ext default_fields = proxy=y host=server.intra.lan port=143 starttls=yes master=proxy pass=#hidden_use-P_to_show# driver = ldap } I still got the same error for mangesieve. IMAP login works with both SSL/STARTTLS. On 11/6/19 3:19 PM, Aki Tuomi via dovecot wrote: > >> On 06/11/2019 16:15 telsch via dovecot <dovecot at dovecot.org> wrote: >>...