starttls for some services only

Bjoern Jacke lists2020 at j3e.de
Mon Feb 10 19:17:25 EET 2020


Hi Aki,

On 10.02.20 17:03, Aki Tuomi wrote:
> Try setting
> 
> login_trusted_networks = lb-ip/32
> 
> See 
> https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks

I do have login-trusted_networks set already. Along with the proxy
protocol (haproxy_trusted_networks = lb-ip) I had to set
login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol
tells dovecot the real clients' IP address and that IP adders is the one
actually evaluated for login_trusted_networks. With the plain
authentication being done inside the load balancer's TLS connection this
is more or less obvious that this is needed in that case.

But those settings don't change the pity: ssl=no is globally required to
make the starttls options disappear for imap-login - but with ssl=no
globally I don't see a possibility to enable the starttls option for
other services like managesieve for example.

Thanks
Björn


More information about the dovecot mailing list