[Dovecot] Sieve force SSL

Lukas Haase lukashaase at gmx.at
Thu Sep 23 16:17:33 EEST 2010


Hi,

Am 23.09.2010 14:58, schrieb Timo Sirainen:
> On Thu, 2010-09-23 at 12:16 +0200, Lukas Haase wrote:
>
>> I have activated only imaps and managesieve.
>>
>> As sieve is running on a different port/protocol: Can I make sure that
>> sieve can ONLY be used with SSL/TLS?
>
> http://wiki.dovecot.org/SSL

Thank you.

First, IMAP and SMTP ports are completely blocked by the corporate 
firewall (it is corporate policy to not allow IMAP and SMTP - I can not 
do anything about this).

Second:

[...] This could be because it makes it easier to ensure that no 
information is leaked, because SSL/TLS handshake happens immediately. 
Some clients unfortunately try to do plaintext authentication without 
STARTTLS, even when IMAP server has told the client that it won't work [...]

This is my personal reason for preferring only IMAPS (and do not even 
offer IMAP).

So back to sieve: If I set disable_plaintext_auth=yes and ssl=required 
then nothing should change for my IMAPS port because it is TLS per 
definition. And for managesieve it means that it should be protected the 
same way IMAP with STARTTLS would be.

So a client would connect to port 2000 and LOGIN would not be advertised 
as long as STARTTLS is not issed. Correct?

Regards, Luke




More information about the dovecot mailing list