[Dovecot] Dovecot not obeying disable_plaintext_auth = yes and how to force/disable encryption

Darren Pilgrim list_dovecot at bluerosetech.com
Mon Mar 18 01:22:03 EET 2013

I'm using Dovecot 2.1.15.  I need to require encryption and only secure 
auth on public addresses, but allow plaintext auth over an unencrypted 
connection on localhost.

I have so far (excerpts from `doveconf -a`):

auth_mechanisms = cram-md5 plain
disable_plaintext_auth = yes
listen =
service imap-login {
   inet_listener imap-local {
     address = ::1
     port = 143
     ssl = no
   inet_listener imap-pub {
     address = 2001:db8::1
     port = 993
     ssl = yes
service managesieve-login {
   inet_listener sieve-local {
     address = ::1
     port = 4190
     ssl = no
   inet_listener sieve-pub {
     address = 2001:db8::1
     port = 4190
     ssl = no

The ssl option only seems to switch the inet_listener between using a 
secure socket and using STARTTLS.  How do I tell a given inet_listener 
to do neither?  How do I tell a given inet_listener to require STARTTLS 
before allowing AUTH/SASL?

I would prefer to offer only CRAM-MD5 on the UGA/public ports, and only 
PLAIN or at least also PLAIN on localhost.  I tried adding 
auth_mechanisms lines to each inet_listener block, but got parse errors. 
  How do I do this?

Dovecot seems to ignore disable_plaintext_auth = yes:

# telnet 2001:db8::1 4190
Trying 2001:db8::1...
Connected to host.example.com.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include 
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"VERSION" "1.0"
OK "Dovecot ready."

Please reply on list.

More information about the dovecot mailing list