[Dovecot] Allowing non-SSL connections only for certain Password Databases

Benjamin Podszun dar at darklajid.de
Wed Apr 23 08:38:37 UTC 2014


On Tuesday, April 22, 2014 3:31:47 PM CEST, Urban Loesch wrote:
> Hi,
>
>> 
>> Is there a way to set "disable_plaintext_auth" to different 
>> values for different Password Databases? Is there another way 
>> to do it?
>> 
>
> Why do you not force SSL for all users?
>
> I have no idea how this could be made with different databases. 
> I have only build a solution for all users stored in mysql.
>
> I'm able to force SSL for imap and pop3 on a per user basis with e.g.:
>
> ...
> password_query = SELECT password FROM users WHERE userid = '%u' 
> AND allow_login = 'y' AND ( force_ssl = 'y' OR '%c' = 
> 'secured');

Waitasecond. I might be totally off here, but the way I read that query you 
accept plaintext credentials, unsecured and then check the DB. After which 
you might say "You're not allowed to log in".

If that is correct every user might send their credentials over unsecured 
connections?

In my opinion this doesn't help. Clients cannot know in advance that they 
shouldn't try to login.

I guess I'd either

- drop the requirement (best option, hit the users that don't support TLS 
or offer them help to upgrade/fix their setup)

- live with the possibility that the system users are potentially 
disclosing their credentials.


Take a step back: A random client connects to dovecot. It didn't log in 
yet. How would you change the capabilities to reflect 'login without 
starttls is allowed or not', depending on a username that you cannot know 
at this point?

My take, ignoring the "There shouldn't be a need for that" quip, is that 
this is next to impossible. And not worth the challenge.

Ben


More information about the dovecot mailing list