[Dovecot] disable_plaintext_auth = no as no effect on IMAP/POP3 logins

Mikkel mikkel at euro123.dk
Thu Jun 14 12:15:14 EEST 2012


I just found the solution by coincidence.

It appears there is a configuration file named:
  /etc/dovecot/conf.d/10-ssl.conf

In that file the following line was active ssl = required
That setting apparently overrides what disable_plaintext_auth has to say.

After commenting out the ssl=required entry everything works as expected :-)

Regards, Mikkel

Den 14/06/12 10.14, Mikkel skrev:
> Hello
>
> In my installation the disable_plaintext_auth does not appear to take
> effect.
> I can see that the value is correct using doveconf -a but it doesn't
> change anything.
>
> Whenever attempting to log in using IMAP I get this:
> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but
> your client did it anyway. If anyone was listening, the password was
> exposed.
> ls NO [PRIVACYREQUIRED] Plaintext authentication disallowed on
> non-secure (SSL/TLS) connections.
>
> POP3 login attempts give this error:
> -ERR Plaintext authentication disallowed on non-secure (SSL/TLS)
> connections
>
> Besides adding disable_plaintext_auth=no to dovecot.conf I also tried
> adding it specifically to the imap section.
> I also tried to invoke it just for certain networks, like this:
>
> remote 0.0.0.0 {
>    disable_plaintext_auth = no
> }
>
> But none of this takes any effect either. Adding the testing network as
> trusted networks is working fine removing the error.
> But I would rather not add the whole internet to the trusted network
> section just to allow plain text logins in imap.
>
> I'm in the process of migrating form 1.1 to 2.1 so this configuration is
> for testing things out and is mainly based on the default configuration
> files comming with the centos installation.
> I should add that everything else in this setup is working fine.
>
>
> I did many searches for information on this topic but nothing I could
> find apply to my case.
>
> I'm sorry to post such a long conf but I'm not sure what parts I could
> have safely omitted.
> Here goes:
>
>
> # doveconf -a
> # 2.1.1: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-220.17.1.el6.x86_64 x86_64 CentOS release 6.2 (Final)
> auth_anonymous_username = anonymous
> auth_cache_negative_ttl = 2 mins
> auth_cache_size = 0
> auth_cache_ttl = 2 mins
> auth_debug = no
> auth_debug_passwords = no
> auth_default_realm = plain
> auth_failure_delay = 2 secs
> auth_first_valid_uid = 500
> auth_gssapi_hostname =
> auth_krb5_keytab =
> auth_last_valid_uid = 0
> auth_master_user_separator =
> auth_mechanisms = plain
> auth_realms = plain login  digest-md5 cram-md5 apop ntlm
> auth_socket_path = auth-userdb
> auth_ssl_require_client_cert = no
> auth_ssl_username_from_cert = no
> auth_use_winbind = no
> auth_username_chars =
> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
> auth_username_format = %Lu
> auth_username_translation =
> auth_verbose = no
> auth_verbose_passwords = no
> auth_winbind_helper_path = /usr/bin/ntlm_auth
> auth_worker_max_count = 30
> base_dir = /var/run/dovecot
> config_cache_size = 1 M
> debug_log_path =
> default_client_limit = 1000
> default_idle_kill = 1 mins
> default_internal_user = dovecot
> default_login_user = dovenull
> default_process_limit = 100
> default_vsz_limit = 256 M
> deliver_log_format = msgid=%m: %$
> dict_db_config =
> director_doveadm_port = 0
> director_mail_servers =
> director_servers =
> director_user_expire = 15 mins
> disable_plaintext_auth = no
> dotlock_use_excl = no
> doveadm_allowed_commands =
> doveadm_password =
> doveadm_proxy_port = 0
> doveadm_socket_path = doveadm-server
> doveadm_worker_count = 0
> dsync_alt_char = _
> first_valid_gid = 1
> first_valid_uid = 105
> hostname = usrmta01.talkactive.net
> imap_capability =
> imap_client_workarounds =
> imap_id_log =
> imap_id_send =
> imap_idle_notify_interval = 2 mins
> imap_logout_format = in=%i out=%o
> imap_max_line_length = 64 k
> imapc_host =
> imapc_master_user =
> imapc_password =
> imapc_port = 143
> imapc_rawlog_dir =
> imapc_ssl = no
> imapc_ssl_ca_dir =
> imapc_ssl_verify = yes
> imapc_user = %u
> import_environment = TZ
> info_log_path = /var/log/dovecot/dovecot.run
> instance_name = dovecot
> last_valid_gid = 0
> last_valid_uid = 0
> lda_mailbox_autocreate = no
> lda_mailbox_autosubscribe = no
> lda_original_recipient_header =
> libexec_dir = /usr/libexec/dovecot
> listen = *, ::
> lmtp_proxy = no
> lmtp_save_to_detail_mailbox = no
> lock_method = fcntl
> log_path = /var/log/dovecot/dovecot.err
> log_timestamp = "%b %d %H:%M:%S "
> login_access_sockets =
> login_greeting = Dovecot ready.
> login_log_format = %$: %s
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
> login_trusted_networks =
> mail_access_groups =
> mail_attachment_dir =
> mail_attachment_fs = sis posix
> mail_attachment_hash = %{sha1}
> mail_attachment_min_size = 128 k
> mail_cache_fields = flags
> mail_cache_min_mail_count = 0
> mail_chroot =
> mail_debug = no
> mail_fsync = always
> mail_full_filesystem_access = no
> mail_gid =
> mail_home =
> mail_location =
> mail_log_prefix = "%s(%u): "
> mail_max_keyword_length = 50
> mail_max_lock_timeout = 0
> mail_max_userip_connections = 10
> mail_never_cache_fields = imap.envelope
> mail_nfs_index = yes
> mail_nfs_storage = yes
> mail_plugin_dir = /usr/lib64/dovecot
> mail_plugins = quota
> mail_prefetch_count = 0
> mail_privileged_group =
> mail_save_crlf = no
> mail_temp_dir = /tmp
> mail_uid =
> mailbox_idle_check_interval = 30 secs
> mailbox_list_index = no
> maildir_broken_filename_sizes = no
> maildir_copy_with_hardlinks = yes
> maildir_stat_dirs = no
> maildir_very_dirty_syncs = no
> master_user_separator =
> mbox_dirty_syncs = yes
> mbox_dotlock_change_timeout = 2 mins
> mbox_lazy_writes = yes
> mbox_lock_timeout = 5 mins
> mbox_md5 = apop3d
> mbox_min_index_size = 0
> mbox_read_locks = fcntl
> mbox_very_dirty_syncs = no
> mbox_write_locks = fcntl
> mdbox_preallocate_space = no
> mdbox_rotate_interval = 0
> mdbox_rotate_size = 2 M
> mmap_disable = yes
> namespace inbox {
>    hidden = no
>    ignore_on_failure = no
>    inbox = yes
>    list = yes
>    location =
>    mailbox Drafts {
>      auto = no
>      special_use = \Drafts
>    }
>    mailbox Junk {
>      auto = no
>      special_use = \Junk
>    }
>    mailbox Sent {
>      auto = no
>      special_use = \Sent
>    }
>    mailbox "Sent Messages" {
>      auto = no
>      special_use = \Sent
>    }
>    mailbox Trash {
>      auto = no
>      special_use = \Trash
>    }
>    prefix =
>    separator =
>    subscriptions = yes
>    type = private
> }
> passdb {
>    args = /local/config/dovecot-sql.conf
>    default_fields =
>    deny = no
>    driver = sql
>    master = no
>    override_fields =
>    pass = no
> }
> plugin {
>    quota = maildir
>    quota_rule2 = Trash:storage=+10M:messages=+100
>    quota_warning = storage=80%% /local/scripts/quota-warning.sh 80
>    sieve_extensions = +imapflags +notify
>    trash = /local/config/dovecot-trash.conf
> }
> pop3_client_workarounds =
> pop3_enable_last = no
> pop3_fast_size_lookups = no
> pop3_lock_session = no
> pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
> pop3_no_flag_updates = no
> pop3_reuse_xuidl = no
> pop3_save_uidl = no
> pop3_uidl_format = %08Xu%08Xv
> pop3c_host =
> pop3c_password =
> pop3c_port = 110
> pop3c_rawlog_dir =
> pop3c_ssl = no
> pop3c_ssl_ca_dir =
> pop3c_ssl_verify = yes
> pop3c_user = %u
> postmaster_address =
> protocols = imap pop3 lmtp
> quota_full_tempfail = no
> recipient_delimiter = +
> rejection_reason = Your message to <%t> was automatically rejected:%n%r
> rejection_subject = Rejected: %s
> sendmail_path = /usr/sbin/sendmail
> service anvil {
>    chroot = empty
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = anvil
>    extra_groups =
>    group =
>    idle_kill = 4294967295 secs
>    privileged_group =
>    process_limit = 1
>    process_min_avail = 1
>    protocol =
>    service_count = 0
>    type = anvil
>    unix_listener anvil-auth-penalty {
>      group =
>      mode = 0600
>      user =
>    }
>    unix_listener anvil {
>      group =
>      mode = 0600
>      user =
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service auth-worker {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = auth -w
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol =
>    service_count = 1
>    type =
>    unix_listener auth-worker {
>      group =
>      mode = 0600
>      user = $default_internal_user
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service auth {
>    chroot =
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = auth
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 1
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener /var/spool/postfix/private/auth {
>      group =
>      mode = 0666
>      user =
>    }
>    unix_listener auth-client {
>      group =
>      mode = 0600
>      user =
>    }
>    unix_listener auth-login {
>      group =
>      mode = 0600
>      user = $default_internal_user
>    }
>    unix_listener auth-master {
>      group =
>      mode = 0600
>      user =
>    }
>    unix_listener auth-userdb {
>      group =
>      mode = 0666
>      user =
>    }
>    unix_listener login/login {
>      group =
>      mode = 0666
>      user =
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service config {
>    chroot =
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = config
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type = config
>    unix_listener config {
>      group =
>      mode = 0600
>      user =
>    }
>    user =
>    vsz_limit = 18446744073709551615 B
> }
> service dict {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = dict
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener dict {
>      group =
>      mode = 0600
>      user =
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service director {
>    chroot = .
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = director
>    extra_groups =
>    fifo_listener login/proxy-notify {
>      group =
>      mode = 00
>      user =
>    }
>    group =
>    idle_kill = 4294967295 secs
>    inet_listener {
>      address =
>      port = 0
>      ssl = no
>    }
>    privileged_group =
>    process_limit = 1
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener director-admin {
>      group =
>      mode = 0600
>      user =
>    }
>    unix_listener director-userdb {
>      group =
>      mode = 0600
>      user =
>    }
>    unix_listener login/director {
>      group =
>      mode = 00
>      user =
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service dns_client {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = dns-client
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener dns-client {
>      group =
>      mode = 0666
>      user =
>    }
>    unix_listener login/dns-client {
>      group =
>      mode = 0666
>      user =
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service doveadm {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = doveadm-server
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol =
>    service_count = 1
>    type =
>    unix_listener doveadm-server {
>      group =
>      mode = 0600
>      user =
>    }
>    user =
>    vsz_limit = 18446744073709551615 B
> }
> service imap-login {
>    chroot = login
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = imap-login
>    extra_groups =
>    group =
>    idle_kill = 0
>    inet_listener imap {
>      address =
>      port = 143
>      ssl = no
>    }
>    inet_listener imaps {
>      address =
>      port = 993
>      ssl = yes
>    }
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol = imap
>    service_count = 0
>    type = login
>    user = $default_login_user
>    vsz_limit = 256 M
> }
> service imap {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = imap
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 1024
>    process_min_avail = 0
>    protocol = imap
>    service_count = 1
>    type =
>    unix_listener login/imap {
>      group =
>      mode = 0666
>      user =
>    }
>    user =
>    vsz_limit = 256 M
> }
> service indexer-worker {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = indexer-worker
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 10
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener indexer-worker {
>      group =
>      mode = 0600
>      user = $default_internal_user
>    }
>    user =
>    vsz_limit = 18446744073709551615 B
> }
> service indexer {
>    chroot =
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = indexer
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 1
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener indexer {
>      group =
>      mode = 0666
>      user =
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service ipc {
>    chroot = empty
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = ipc
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 1
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener ipc {
>      group =
>      mode = 0600
>      user =
>    }
>    unix_listener login/ipc-proxy {
>      group =
>      mode = 0600
>      user = $default_login_user
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> service lmtp {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = lmtp
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol = lmtp
>    service_count = 0
>    type =
>    unix_listener lmtp {
>      group =
>      mode = 0666
>      user =
>    }
>    user =
>    vsz_limit = 18446744073709551615 B
> }
> service log {
>    chroot =
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = log
>    extra_groups =
>    group =
>    idle_kill = 4294967295 secs
>    privileged_group =
>    process_limit = 1
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type = log
>    unix_listener log-errors {
>      group =
>      mode = 0600
>      user =
>    }
>    user =
>    vsz_limit = 18446744073709551615 B
> }
> service pop3-login {
>    chroot = login
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = pop3-login
>    extra_groups =
>    group =
>    idle_kill = 0
>    inet_listener pop3 {
>      address =
>      port = 110
>      ssl = no
>    }
>    inet_listener pop3s {
>      address =
>      port = 995
>      ssl = yes
>    }
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol = pop3
>    service_count = 1
>    type = login
>    user = $default_login_user
>    vsz_limit = 18446744073709551615 B
> }
> service pop3 {
>    chroot =
>    client_limit = 1
>    drop_priv_before_exec = no
>    executable = pop3
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 1024
>    process_min_avail = 0
>    protocol = pop3
>    service_count = 1
>    type =
>    unix_listener login/pop3 {
>      group =
>      mode = 0666
>      user =
>    }
>    user =
>    vsz_limit = 18446744073709551615 B
> }
> service ssl-params {
>    chroot =
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = ssl-params
>    extra_groups =
>    group =
>    idle_kill = 0
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type = startup
>    unix_listener login/ssl-params {
>      group =
>      mode = 0666
>      user =
>    }
>    user =
>    vsz_limit = 18446744073709551615 B
> }
> service stats {
>    chroot = empty
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = stats
>    extra_groups =
>    fifo_listener stats-mail {
>      group =
>      mode = 0600
>      user =
>    }
>    group =
>    idle_kill = 4294967295 secs
>    privileged_group =
>    process_limit = 1
>    process_min_avail = 0
>    protocol =
>    service_count = 0
>    type =
>    unix_listener stats {
>      group =
>      mode = 0600
>      user =
>    }
>    user = $default_internal_user
>    vsz_limit = 18446744073709551615 B
> }
> shutdown_clients = yes
> ssl = required
> ssl_ca =
> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
> ssl_cert_username_field = commonName
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> ssl_client_cert =
> ssl_client_key =
> ssl_crypto_device =
> ssl_key = </etc/pki/dovecot/private/dovecot.pem
> ssl_key_password =
> ssl_parameters_regenerate = 1 weeks
> ssl_protocols = !SSLv2
> ssl_verify_client_cert = no
> stats_command_min_time = 1 mins
> stats_domain_min_time = 12 hours
> stats_ip_min_time = 12 hours
> stats_memory_limit = 16 M
> stats_session_min_time = 15 mins
> stats_user_min_time = 1 hours
> submission_host =
> syslog_facility = mail
> userdb {
>    args =
>    default_fields =
>    driver = prefetch
>    override_fields =
> }
> userdb {
>    args = /local/config/dovecot-sql.conf
>    default_fields =
>    driver = sql
>    override_fields =
> }
> valid_chroot_dirs =
> verbose_proctitle = no
> verbose_ssl = no
> version_ignore = no
> protocol lda {
>    mail_plugins = quota quota sieve trash
> }
> protocol imap {
>    imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
> tb-lsub-flags
>    imap_logout_format = bytes=%i/%o
>    mail_plugins = quota quota imap_quota trash
> }
> protocol pop3 {
>    mail_plugins = quota quota
>    pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
>    pop3_uidl_format = %08Xu%08Xv
> }
>
>
> Regards, Mikkel




More information about the dovecot mailing list