similar to: TLS handshake issue

Hello, I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only. Is this possible with dovecot-2.2.36 / how to setup this? Thanks for suggestions, Andreas

Hi, I can no longer connect to Dovecot (IMAP). The connection is terminated by Dovecot after Client Helo. My server: Dovecot 2.3.3 Debian buster/sid Architecture: ppc My problems started in late August after upgrading Dovecot. SSL settings: ssl_dh = </etc/ssl/dh2048.pem ssl_min_protocol = TLSv1.2 ssl_cipher_list =

Hi, I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This

If I read this correctly, starttls will fail due to the MITM attack. That is the client knows security has been compromised. Using SSL/TLS, the MITM can use SSL stripping. Since most Postifx conf use "may" for security, the message would go though unencrypted. Correct??? Is there something to enable for perfect forward security with starttls? ? Original Message ? From: s.arcus at

CentOS 6.5, dovecot 2.0.9-7 I used http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ to configure LDAP authentication for postfix and dovecot. I can log in to dovecot via IMAP, but it cannot read messages. It does wind up creating alternate directories though: [joliver at localhost ~]$ sudo ls -l /var/vmail/ total 8 drwx------. 3 vmail vmail 4096 Sep 10 15:00 testuser1 drwx------. 3

This is probably a misconfiguration of my MUA; however, I thought I would ask here first. I am using IMAP with Dovecot. Claws-mail is my MUA. Now, when fetching mail via port 143, everything works fine: Mar 29 10:33:00 imap-login: Info: Login: user=<user at domain.net>, method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, TLS However, when I attempt to fetch mail via port 993, I get this

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 26 Jun 2014, Adi Kriegisch wrote: > >>> I am struggling with the same issue for some time now: win8/outlook isn't >>> able to connect to dovecot 2.2.9 (from Debian/backports); the error on the >>> outlook side of things is 0x800CCC0E which is really helpful. >> >> A listing of all of Window's

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello I recently upgraded to dovecot 2.1.7 (as supplied with Debian Weezy). All clients work as expected except for Outlook (2013 &2010) on Win8 with a SSL/TLS connection. (Thunderbird on Win8 and Outlook 2013 on Win 7 works fine. On my previous dovecot version 1.2.13 all clients worked.) As far as I understand, one difference is the support for

On Wed, 14 Nov 2018, Aki Tuomi wrote: >> I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So >> I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to >> enable TLS1.2 and TLS1.3 only. >> >> Is this possible with dovecot-2.2.36 / how to setup this? > > Not possible I'm afraid. ("Not possible" = challenge!)

Hi, We try to configure dovecot as usual (all our servers have dovecot+vpopmail+qmail or postfix). We set up dovecot with the next outcome: - imap ok - imaps ok - imap STARTTLS NOT OK Debug: root at s13:/home/lucas# gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip'... - Simple Client Mode: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID

Hello, On a dovecot 2.0.14 proxy, I found that proxying managesieve works well when using 'starttls' option in pass_attrs, but does not work when using 'ssl' option. The backend server is also dovecot 2.0.14; when using the ssl option, it reports "no auth attempts" in the logs about managesieve-login, and meanwhile the MUA, Thunderbird with sieve plugin, reports

Another new issue has cropped up with my rc1 -> rc31 upgrade: This morning, right around the typical morning email surge, Dovecot stopped accepting new IMAP connections. I didn't get a chance to do much troubleshooting and a restart of Dovecot fixed it. The only thing I've been able to find in the logs is a bunch of entries like this one: Apr 10 09:11:36 cliff dovecot: imap-login:

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 18 December 2018 at 02:30 Adi Pircalabu via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div>

-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 hi, i've built dovecot latest cvs on OSX 10.4.7. i'm making a 1st attempt @ trying/failing to get TLS operation up-n-running ... my install's OK: Install prefix ...................... : /usr/local/dovecot File offsets ........................ : 64bit I/O loop method ..................... : poll File change notification method

Postfix debug peer logging Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: > server.example.org[XX.XX.XX.XX]: 250 2.1.5 Ok Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: watchdog_pat: 0x55ef4ec020180 Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: vstream_fflush_some: fd 10 flush 28 Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: vstream_buf_get_ready: fd 10 got 15 Dec

Lest anyone think STARTTLS MITM doesn't happen, https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ Not only for security, I prefer port 993/995 as it's just plain simpler to initiate SSL from the get-go rather than to do some handshaking that gets you to the same point. Joseph Tam <jtam.home at gmail.com>

I disabled postscreen and enabled logging, I have all ports working except 993, in log when I try to connect on port 993 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.244.0.24, lip=10.244.0.108, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<rEH6ocGoOtUK9AAY> I found that I could

when i telnet to the sieve instance running with dovecot, i see that SASL is supported, but i cannot get thunderbird to connect to the sieve instance. it seems that i am not providing the right auth methods for sieve to work. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress

Postconf: https://pastebin.com/vTVn2UMr Doveconf: https://pastebin.com/nEpZrpzB all my logs from mail.(warn,err,info,log): https://pastebin.com/ccEVUqyd my messges log: https://pastebin.com/cXaEBmcH I'm not sure if you meant this about dict_nis_init but I've done what's explained here: https://unix.stackexchange.com/questions/244199/postfix-mail-logs-keep-showing-nis-domain-not-set

Hi all, Is there a way to enforce STARTTLS for all connections, regardless their authentication mechanism? disable_plaintext_auth only takes care of the auth conversation, but I would like to have all communication encrypted. As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have the other way around; disabling imaps and using imap for