[Dovecot] Allowing non-SSL connections only for certain Password Databases

Urban Loesch bind at enas.net
Wed Apr 23 08:57:23 UTC 2014



Am 23.04.2014 10:38, schrieb Benjamin Podszun:
> On Tuesday, April 22, 2014 3:31:47 PM CEST, Urban Loesch wrote:
>> Hi,
>>
>>>
>>> Is there a way to set "disable_plaintext_auth" to different values
>>> for different Password Databases? Is there another way to do it?
>>>
>>
>> Why do you not force SSL for all users?
>>
>> I have no idea how this could be made with different databases. I have
>> only build a solution for all users stored in mysql.
>>
>> I'm able to force SSL for imap and pop3 on a per user basis with e.g.:
>>
>> ...
>> password_query = SELECT password FROM users WHERE userid = '%u' AND
>> allow_login = 'y' AND ( force_ssl = 'y' OR '%c' = 'secured');
>
> Waitasecond. I might be totally off here, but the way I read that query
> you accept plaintext credentials, unsecured and then check the DB. After
> which you might say "You're not allowed to log in".

Yes that is correct and I knew that when I configured the setup. But I 
can't manipulate the clients.

>
> If that is correct every user might send their credentials over
> unsecured connections?

Yes, that is a disadvantage. As I just said, I can't change that.

>
> In my opinion this doesn't help. Clients cannot know in advance that
> they shouldn't try to login.
>
> I guess I'd either
>
> - drop the requirement (best option, hit the users that don't support
> TLS or offer them help to upgrade/fix their setup)

Can you help me to upgrade/fix 40k users, which have no idea how to 
change the settings of a mail client? Send me your phonenumber and I 
will redirect all requests of that to you :-)

You will see very quickly that it's not practicable to force all users 
to use SSL at the same time. With this setup I can bring users step by 
step to use SSL.

>
> - live with the possibility that the system users are potentially
> disclosing their credentials.

I have no system users.

>
>
> Take a step back: A random client connects to dovecot. It didn't log in
> yet. How would you change the capabilities to reflect 'login without
> starttls is allowed or not', depending on a username that you cannot
> know at this point?

I know all usernames as I activate them. So I can control which user 
must use SSL and which not. I also for example can control which user is 
forced to use port 587 for sending their email and which not.

>
> My take, ignoring the "There shouldn't be a need for that" quip, is that
> this is next to impossible. And not worth the challenge.
>
> Ben


More information about the dovecot mailing list