[Dovecot] imap, imaps, ports; config for secure-only service

Ron Leach ronleach at tesco.net
Sun Aug 22 18:47:09 EEST 2010 

Ronald Leach wrote:
> Hello, having difficulty setting up a 'secure-only' service on a
> non-standard port.
> 

Upgraded version on the server to the latest backport available for 
the server, having saved the conf file.  Started from scratch with 
standard settings.  Particularly:

protocol = imap imaps
listen = *

> Checking wiki1 and wiki2, I think that port 143 can be used for a
> service in both encrypted and unencrypted operations.  (Wiki2
> describes how port 143 can be used with or without STARTTLS.)

143 only worked when protocols = imap was present.
In this case, Thunderbird (on a Vista client) worked in 'TLS' mode. 
The log showed authentication using PLAIN, and TLS secured.  The wiki 
implies that TLS provides end to end (client to dovecot) encryption, 
and (I think) means that the initial username/password exchange is, 
therefore, also protected.  (On the basis that the link protection is 
built before the authentication sequence is started.)

But I want to force secure working - in some kind of secure-only mode, 
so that internet-based users can reach the server securely.  So I 
changed the protocols to:

protocol = imaps

with:

disable_plaintext_auth = yes


In this configuration, TB could not connect on 143, but only on 993, 
*and*, only if TB's SSL option is selected (not its TLS option).  This 
was good, and bad.

Good, because it 'forced' use of a secure connection (assuming that in 
this mode the connection is *actually* protected end-to-end); the 
email client asked if Dovecot's certificate should be accepted, so 
there was certainly some protection going on at some point.

But this was *bad*, I thought, because the wiki suggests
http://wiki.dovecot.org/SSL
that TLS has replaced SSL, so I am not sure that using SSL is the 
proper thing to do.  Incidentally - almost in a tribute to the wiki 
article - Dovecot recorded the authentication as TLS.

I think I've disabled insecure access from any client - which is a 
pity because we have one client application that is not 
SSL/TLS-capable, as I mentioned before.  The Dovecot website also 
talks about a proxy operation, so I may set up an insecure proxy on 
our other server, and let that proxy for that one application.

Otherwise, I think it is running securely, which is a good step 
forward to allow access from the internet.

regards, Ron

More information about the dovecot mailing list