Hi all,
Ok, up until now, I've only always allowed IMAPS connections to dovecot on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I walso want to make sure both ports are locked down to ONLY allow secure connections.
So... is disable_plaintext_auth = yes in the main config enough to accomplish this?
http://wiki2.dovecot.org/SSL/DovecotConfiguration says:
There are a couple of different ways to specify when SSL/TLS is required:
disable_plaintext_auth=yes allows plaintext authentication
<http://wiki2.dovecot.org/Authentication/Mechanisms> only when
SSL/TLS is used first.*
ssl = required requires SSL/TLS also for non-plaintext
authentication <http://wiki2.dovecot.org/Authentication/Mechanisms>.*
If you have only plaintext mechanisms enabled
(auth { mechanisms = plain login } ), you can use either (or both)
of the above settings. They behave exactly the same way thenand the comments in 10-auth.conf say:
Disable LOGIN command and all other plaintext authentications unless
SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
matches the local IP (ie. you're connecting from the same computer), the
connection is considered secure and plaintext authentication is allowed.
See also ssl=required setting.
#disable_plaintext_auth = yes
These seem to be saying that all I need to do is set either or both (ssl-required and/or disable_plaintext_auth=yes).
I'm looking for the simplest, and don't like redundant/unnecessary settings, so... which is the best/preferred way?
And what is the difference between ssl=required and disable_plaintext_auth=yes?
Thanks,
--
Best regards,
*/Charles/***