On 12/14/05, Magnus Holmgren <holmgren@lysator.liu.se> wrote:
ankush grover wrote:
> hey friends,
>
> I am trying to secure my mail server on FC3.I have enabled TLS support
> in postfix(version postfix-2.1.5) and want to use ssl settings for
> dovecot(0.99.13
).
> ...
> If i do telnet localhost 993 or 995 I don't see any "Ok Dovecot Ready"
> message.If I enable pop3 and imap in dovecot.conf and then I telnet
> localhost 110 or 143 I can see "Ok Dovecot Ready" message.
That's normal. Dovecot is waiting for the SSL handshake to complete
before it will send "Ok Dovecot Ready" (over the encrypted line). Use
openssl s_client -connect yourhost:995
to test.
it is working fine as I get the Ok Dovecot Ready Message.
Some clients can also connect to port 110 or 143 and issue the
STARTTLS/STLS command to initiate encryption. If you only have such
clients (unlikely), then you don't need pop3s and imaps in the protocols
line. At any rate, you can pretty safely allow pop3 and imap; dovecot
will not allow any plaintext authentication until the connection is
encrypted. Caveat: Some clients, most notably Mozilla Thunderbird, will
send IMAP passwords in clear anyway, instead of checking if it's OK.
(The IMAP LOGIN command takes the username and the password in the same
command. You should issue the CAPABILITY command, which shows that LOGIN
is disabled while STARTTLS is available.)
My clients are outlook express,incredimail,squirrelmail,microsoft outlook, evolution and kmail.
I hope none of these clients passes imap passwords in clear text.
Thanks for your guidance.
Thanks & Regards
Ankush