18 Jan
2026
18 Jan
'26
10:51 p.m.
Hi,
I'm setting up a new IMAPS server using Dovecot 2.4 at the moment. I'd like my network internal users to authenticate using GSSAPI. The server is also exposed to the Internet for smart phone email access. I want to offer PLAIN login only for external users as they can't be legitimate internal Kerberos users. (Just as an additional layer of security.)
Would this approach work?
service imap-login { inet_listener imaps_external { port = 1993 ssl = yes auth_mechanisms = plain login } inet_listener imaps_internal { port = 7993 ssl = yes auth_mechanisms = plain login gssapi } }
Then I'd allow only port 1993 externally and keep port 7993 for the LAN.
Thank you for your advice! Reg