[Dovecot] Allowing non-SSL connections only for certain Password Databases
Benjamin Podszun
dar at darklajid.de
Wed Apr 23 08:38:37 UTC 2014
On Tuesday, April 22, 2014 3:31:47 PM CEST, Urban Loesch wrote:
> Hi,
>
>>
>> Is there a way to set "disable_plaintext_auth" to different
>> values for different Password Databases? Is there another way
>> to do it?
>>
>
> Why do you not force SSL for all users?
>
> I have no idea how this could be made with different databases.
> I have only build a solution for all users stored in mysql.
>
> I'm able to force SSL for imap and pop3 on a per user basis with e.g.:
>
> ...
> password_query = SELECT password FROM users WHERE userid = '%u'
> AND allow_login = 'y' AND ( force_ssl = 'y' OR '%c' =
> 'secured');
Waitasecond. I might be totally off here, but the way I read that query you
accept plaintext credentials, unsecured and then check the DB. After which
you might say "You're not allowed to log in".
If that is correct every user might send their credentials over unsecured
connections?
In my opinion this doesn't help. Clients cannot know in advance that they
shouldn't try to login.
I guess I'd either
- drop the requirement (best option, hit the users that don't support TLS
or offer them help to upgrade/fix their setup)
- live with the possibility that the system users are potentially
disclosing their credentials.
Take a step back: A random client connects to dovecot. It didn't log in
yet. How would you change the capabilities to reflect 'login without
starttls is allowed or not', depending on a username that you cannot know
at this point?
My take, ignoring the "There shouldn't be a need for that" quip, is that
this is next to impossible. And not worth the challenge.
Ben
More information about the dovecot
mailing list