On 12/14/05, Magnus Holmgren holmgren@lysator.liu.se wrote:
ankush grover wrote:
hey friends,
I am trying to secure my mail server on FC3.I have enabled TLS support in postfix(version postfix-2.1.5) and want to use ssl settings for dovecot(0.99.13). ... If i do telnet localhost 993 or 995 I don't see any "Ok Dovecot Ready" message.If I enable pop3 and imap in dovecot.conf and then I telnet localhost 110 or 143 I can see "Ok Dovecot Ready" message.
That's normal. Dovecot is waiting for the SSL handshake to complete before it will send "Ok Dovecot Ready" (over the encrypted line). Use
openssl s_client -connect yourhost:995
to test.
it is working fine as I get the Ok Dovecot Ready Message.
Some clients can also connect to port 110 or 143 and issue the
STARTTLS/STLS command to initiate encryption. If you only have such clients (unlikely), then you don't need pop3s and imaps in the protocols line. At any rate, you can pretty safely allow pop3 and imap; dovecot will not allow any plaintext authentication until the connection is encrypted. Caveat: Some clients, most notably Mozilla Thunderbird, will send IMAP passwords in clear anyway, instead of checking if it's OK. (The IMAP LOGIN command takes the username and the password in the same command. You should issue the CAPABILITY command, which shows that LOGIN is disabled while STARTTLS is available.)
My clients are outlook express,incredimail,squirrelmail,microsoft outlook, evolution and kmail.
I hope none of these clients passes imap passwords in clear text.
Thanks for your guidance.
Thanks & Regards
Ankush