[Dovecot] Allow both SSL/993 and STARTTLS/143 connections (secure only)
Hi all,
Ok, up until now, I've only always allowed IMAPS connections to dovecot on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I walso want to make sure both ports are locked down to ONLY allow secure connections.
So... is disable_plaintext_auth = yes in the main config enough to accomplish this?
http://wiki2.dovecot.org/SSL/DovecotConfiguration says:
There are a couple of different ways to specify when SSL/TLS is required:
disable_plaintext_auth=yes allows plaintext authentication
<http://wiki2.dovecot.org/Authentication/Mechanisms> only when
SSL/TLS is used first.*
ssl = required requires SSL/TLS also for non-plaintext
authentication <http://wiki2.dovecot.org/Authentication/Mechanisms>.*
If you have only plaintext mechanisms enabled
(auth { mechanisms = plain login } ), you can use either (or both)
of the above settings. They behave exactly the same way thenand the comments in 10-auth.conf say:
Disable LOGIN command and all other plaintext authentications unless
SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
matches the local IP (ie. you're connecting from the same computer), the
connection is considered secure and plaintext authentication is allowed.
See also ssl=required setting.
#disable_plaintext_auth = yes
These seem to be saying that all I need to do is set either or both (ssl-required and/or disable_plaintext_auth=yes).
I'm looking for the simplest, and don't like redundant/unnecessary settings, so... which is the best/preferred way?
And what is the difference between ssl=required and disable_plaintext_auth=yes?
Thanks,
--
Best regards,
*/Charles/***
On 2014-01-03 8:32 AM, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
Ok, up until now, I've only always allowed IMAPS connections to dovecot on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I walso want to make sure both ports are locked down to ONLY allow secure connections.
And I just had an idea, but don't know if it is possible.
Can I offer one namespace on one port (ie, SSL/993), and a different namespace on the other port (STARTTLS/143)?
This would be a simple and effective way to migrate users from one namespace to another... have them change both the port/security setting and the namespace prefix at the same time, then restart the client... boom.
And this suggests it is possible:
http://wiki2.dovecot.org/Namespaces
The section name in namespaces (e.g. namespace sectionname { .. } is used only internally within configuration. It's not required at all, but it allows you to update an existing namespace (like how 15-mailboxes.conf does) or have userdb override namespace settings for specific users (namespace/sectionname/prefix=foo/).
But the question is, how exactly to implement it, and I can't see from the docs exactly how to go about it.
--
Best regards,
*/Charles/*
On Fri, 03 Jan 2014 10:08:15 -0500 Charles Marcus wrote:
On 2014-01-03 8:32 AM, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
Ok, up until now, I've only always allowed IMAPS connections to dovecot on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I walso want to make sure both ports are locked down to ONLY allow secure connections.
And I just had an idea, but don't know if it is possible.
Can I offer one namespace on one port (ie, SSL/993), and a different namespace on the other port (STARTTLS/143)?
You dont' need 2 namespaces.
In 10-auth.conf set "disable_plaintext_auth = yes"
My 10-master.conf contains
| service imap-login { | inet_listener imap { | port = 143 | } | inet_listener imaps { | port = 993 | ssl = yes | }
And this works.
--Frank Elsner
On 2014-01-03 10:20 AM, Frank Elsner <frank@moltke28.B.Shuttle.DE> wrote:
On Fri, 03 Jan 2014 10:08:15 -0500 Charles Marcus wrote:
And I just had an idea, but don't know if it is possible.
Can I offer one namespace on one port (ie, SSL/993), and a different namespace on the other port (STARTTLS/143)?
You dont' need 2 namespaces.
In 10-auth.conf set "disable_plaintext_auth = yes"
My 10-master.conf contains
| service imap-login { | inet_listener imap { | port = 143 | } | inet_listener imaps { | port = 993 | ssl = yes | }
And this works.
And this just totally solved one of the last problems I was facing doing the transition...
Adding the above combined with the courier-imap compatibility namespace results in ALL clients looking normal, regardless of which port or namespace prefix they are configured to use.
Thanks Frank!!
--
Best regards,
*/Charles/*
participants (2)
-
Charles Marcus
-
Frank Elsner