[Dovecot] Enabling security on POP3 and IMAP
Richard Hobbs
richard.hobbs at crl.toshiba.co.uk
Thu Sep 10 12:13:04 EEST 2009
Hello,
Replies inline...
Patrick Nagel wrote:
> Hi Richard,
>
> On 2009-09-03 16:38, Richard Hobbs wrote:
>> Currently, on our new test server, I am offering IMAP on 143 and POP3 on
>> 110.
>
>> We would like to enable security on both of these protocols to attempt
>> to eliminate the risk from an internal
>> password-grabbing/content-grabbing attack.
>
>> I presume this would mean enabling SSL, and a more securure
>> authentication, right? Or are plain text passwords just sent over the
>> SSL, and therefore perfectly secure?
>
> Yes, plain text passwords are fine with SSL/TLS, since the connection gets
> secured before the password is sent.
OK, I'll do that then, unless it's not commonly what's done for some
reason...
>> Also, what are the steps to enable security for these protocols on an
>> already-configured server?
>
>> Is it possible to offer encrypted and non-encrypted services
>> simultaneously, so people have a choice of whether they want security or
>> not? I know that's a bit weird, but for testing it would be useful.
>
> No problem. Basically you just need to specify the certificate (ssl_cert_file)
> and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
> 'protocols'.
Thanks for the advice - how do i generate ssl cert files and ssl key
files? Also, various people access our mail server over IP, or various
different hostnames - can all of those be built into the key/cert files
so they aren't continually warned about hostname mismatches?
>> Finally, is there a way to monitor which users are connecting over the
>> secure ports and which users are connecting over the non-secure ports?
>
> You can see it in the log.
Excellent.
Thanks again,
Richard.
--
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.hobbs at crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999 Mobile: +44 7811 803377
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090910/1e8db6e0/attachment.bin
More information about the dovecot
mailing list