[Dovecot] Requiring STARTTLS only on some networks

Pascal Volk user+dovecot at localhost.localdomain.org
Fri May 7 17:26:47 EEST 2010


On 05/07/2010 02:00 PM Thomas Hummel wrote:
> Hello Timo,
> 
> is there a way, either in 1.2.x or in 2.x to activate
> 
>   disable_plaintext_auth=yes
> 
> only for some address or network ?
> 
> The idea would be to enable clients from the internal networks to keep making
> clear text connections while forbidding it to the rest of the world.
> 
> Thanks.

By default "disable_plaintext_auth = yes" is set, in all Dovecot
versions.
With Dovecot v2.0 you can put something like the following in your
dovecot.conf:

remote 192.168.111.0/24 {
  disable_plaintext_auth = no
}
remote fdfd:ffff:dddd::0/48 {
  disable_plaintext_auth = no
}

Testing the settings:

~ # doveconf disable_plaintext_auth
disable_plaintext_auth = yes
~ # doveconf -f rip=192.168.0.1 disable_plaintext_auth
disable_plaintext_auth = yes
~ # doveconf -f rip=fdfd:ffff:dddd::abcd disable_plaintext_auth
disable_plaintext_auth = no
~ # doveconf -f rip=192.168.111.234 disable_plaintext_auth
disable_plaintext_auth = no

The dovecot.conf for v2.0 contains also:
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =


Regards,
Pascal
-- 
The trapper recommends today: 5e1f1e55.1012716 at localdomain.org


More information about the dovecot mailing list