[Dovecot] SSL / TLS
Jean-Noel Chardron
Jean-Noel.Chardron at dr15.cnrs.fr
Sun Jun 28 01:13:41 EEST 2009
Timo Sirainen a écrit :
> On Sat, 2009-06-27 at 20:06 +0200, Jean-Noel Chardron wrote:
>
>> This is the protocol: the server announces its capability but can not
>> force the use of TLS which is an initiative of the client.
>>
>
> Server can't force clients to do STARTTLS, but it can prevent clients
> from being able to log in without it. This is what Dovecot does by
> default, with disable_plaintext_auth=yes. If it's enabled and STARTTLS
> isn't used and client tries to log in, Dovecot says:
>
> 1 login foo bar
> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
> 1 NO [CLIENTBUG] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
>
>
very interesting, I didn't think about it. This may indeed be the case.
and thus forcing the users to make the choice of TLS in a hostile
environment. however then this rule will also apply to an environment of
"friendly" on the local network. This is not the goal for sedentary
among us, unless the default configuration of clients was not "plain
text" but "do TLS if possible".
More information about the dovecot
mailing list