[Dovecot] Requiring STARTTLS only on some networks
Pascal Volk
user+dovecot at localhost.localdomain.org
Fri May 7 17:26:47 EEST 2010
On 05/07/2010 02:00 PM Thomas Hummel wrote:
> Hello Timo,
>
> is there a way, either in 1.2.x or in 2.x to activate
>
> disable_plaintext_auth=yes
>
> only for some address or network ?
>
> The idea would be to enable clients from the internal networks to keep making
> clear text connections while forbidding it to the rest of the world.
>
> Thanks.
By default "disable_plaintext_auth = yes" is set, in all Dovecot
versions.
With Dovecot v2.0 you can put something like the following in your
dovecot.conf:
remote 192.168.111.0/24 {
disable_plaintext_auth = no
}
remote fdfd:ffff:dddd::0/48 {
disable_plaintext_auth = no
}
Testing the settings:
~ # doveconf disable_plaintext_auth
disable_plaintext_auth = yes
~ # doveconf -f rip=192.168.0.1 disable_plaintext_auth
disable_plaintext_auth = yes
~ # doveconf -f rip=fdfd:ffff:dddd::abcd disable_plaintext_auth
disable_plaintext_auth = no
~ # doveconf -f rip=192.168.111.234 disable_plaintext_auth
disable_plaintext_auth = no
The dovecot.conf for v2.0 contains also:
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
Regards,
Pascal
--
The trapper recommends today: 5e1f1e55.1012716 at localdomain.org
More information about the dovecot
mailing list