[Dovecot] Enforcing TLS
Jan-Frode Myklebust
janfrode at tanso.net
Fri Jan 9 13:34:37 EET 2009
On 2009-01-06, Timo Sirainen <tss at iki.fi> wrote:
>
>> I already asked on IRC whether this was possible, because I was unable
>> to find this on the Wiki. It turns out there is a configuration switch
>> called `disable_plaintext_auth', but looking at the description this
>> only prevents people from using plain-text username/password
>> authentication. It does not actually enforce TLS or SSL.
>>=20
>> My question: is there support to enforce TLS when people connect to
>> non-SSL ports? If someone comes up with a solution, I'll add it to the
>> SSL article on the Wiki.
>
> Have you enabled non-plaintext authentication? If not, then
> disable_plaintext_auth practically does what you want, because you can't
> authenticate without SSL/TLS.
We have the opposite requirement... Is it possible to enable SSL on the
POPS/IMAPS-port, without also enabling STARTTLS on the POP/IMAP ports?
We're hosting many mail domains on the same ip-addresses, and offer
mail.$partnername.com as pop/imap server. Now we'd like to also offer
a single name for POPS/IMAPS with a non-per-partner-branded
name mail.securedomain.com on the same set of servers as the non SSL-version
of dovecot is running. This is mostly to avoid needing lots of SSL
certificates.
We're afraid that if we enable STARTTLS, many of our existing clients will
automatically try using SSL towards the wrong name, and get ugly SSL warnings
about certifcate mismatch.
-jf
More information about the dovecot
mailing list