[Dovecot] Enforcing STARTTLS for all mechs while disabling

Durk Strooisma durk at kern.nl
Thu Jan 15 18:10:53 EET 2009


Hi Timo,

> Not possible currently.

Okay.

> Hmm. I don't want to add a new setting for this, but some existing one
> could be updated/replaced.. Perhaps ssl_disable=required? Although that
> sounds weird. Maybe deprecate that setting and have
> ssl=yes/no/required.

The setting "ssl" sounds fine. In case you're going to implement this
feature, for which release would that be?

> Anyway you could modify the sources pretty easily to do this. In
> src/imap-login/client-authenticate.c function cmd_authenticate() add
> before mech_name line something like:
>
> 	if (!client->common.secured && disable_plaintext_auth) {
> 		if (verbose_auth) {
> 			client_syslog(&client->common, "Login failed: "
> 				      "STARTTLS not enabled");
> 		}
> 		client->common.auth_attempts++;
> 		client_send_line(client, "* NO [ALERT] STARTTLS requires");
> 		client_send_tagline(client, "NO STARTTLS required");
> 		return 1;
> 	}

Thanks for the info!

Durk




More information about the dovecot mailing list