[Dovecot] IMAP over SSL
petsy12 at lavabit.com
petsy12 at lavabit.com
Tue Nov 27 15:32:33 EET 2012
Hello.
I've never tried Dovecot. Here is my attempt to enable IMAP over SSL
on port 993. (BTW, I don't want to use port 143 at all.)
# dovecot -n
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imaps
listen: *:143,[::]:143
ssl_listen: *:993,[::]:993
ssl: required
ssl_cert_file: /etc/dovecot/keycert.pem
ssl_key_file: /etc/dovecot/keycert.pem
ssl_cipher_list: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!NULL:@STRENGTH
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mbox_write_locks: fcntl dotlock
auth default:
passdb:
driver: pam
userdb:
driver: passwd
1. Here is a snippet from dovecot.conf. Is it correct? Should I change
something? (Note that I don't want to enable IMAP on port 143.)
protocols = imaps
protocol imap {
listen = *:143,[::]:143
ssl_listen = *:993,[::]:993
}
disable_plaintext_auth = yes
ssl_listen = *:993,[::]:933
ssl = required
ssl_cert_file = /etc/dovecot/keycert.pem
ssl_key_file = /etc/dovecot/keycert.pem
ssl_cipher_list = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!NULL:@STRENGTH
2. I don't understand the syntax connected with auth. What auth
options are enabled by default?
dovecot.conf:
No sections (e.g. namespace {}) or plugin settings are added by
default, they're listed only as examples.
Does it mean that passdb pam will use defaults (e.g. session=yes,
setrcred=yes)?
passdb pam {
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
# [cache_key=<key>] [<service name>]
#
# session=yes makes Dovecot open and immediately close PAM session. Some
# PAM plugins need this to work, such as pam_mkhomedir.
#
# setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
# need that. They aren't ever deleted though, so this isn't enabled by
# default.
#
# max_requests specifies how many PAM lookups to do in one process before
# recreating the process. The default is 100, because many PAM plugins
# leak memory.
#
# cache_key can be used to enable authentication caching for PAM
# (auth_cache_size also needs to be set). It isn't enabled by default
# because PAM modules can do all kinds of checks besides checking
password,
# such as checking IP address. Dovecot can't know about these checks
# without some help. cache_key is simply a list of variables (see
# /usr/share/doc/dovecot-common/wiki/Variables.txt) which must match
# for the cached data to be used.
# Here are some examples:
# %u - Username must match. Probably sufficient for most uses.
# %u%r - Username and remote IP address must match.
# %u%s - Username and service (ie. IMAP, POP3) must match.
#
# The service name can contain variables, for example %Ls expands to
# pop3 or imap.
#
# Some examples:
# args = session=yes %Ls
# args = cache_key=%u dovecot
#args = dovecot
}
3. Here is the output of `openssl s_client -tls1 -connect
mail.example.com:993`. Is it OK?
[snip]
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
[snip]
Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN] Dovecot ready.
Also, where can I read about these options?
Any comments are appreciated.
More information about the dovecot
mailing list