On 2009-01-06, Timo Sirainen tss@iki.fi wrote:
I already asked on IRC whether this was possible, because I was unable to find this on the Wiki. It turns out there is a configuration switch called `disable_plaintext_auth', but looking at the description this only prevents people from using plain-text username/password authentication. It does not actually enforce TLS or SSL. =20 My question: is there support to enforce TLS when people connect to non-SSL ports? If someone comes up with a solution, I'll add it to the SSL article on the Wiki.
Have you enabled non-plaintext authentication? If not, then disable_plaintext_auth practically does what you want, because you can't authenticate without SSL/TLS.
We have the opposite requirement... Is it possible to enable SSL on the POPS/IMAPS-port, without also enabling STARTTLS on the POP/IMAP ports?
We're hosting many mail domains on the same ip-addresses, and offer mail.$partnername.com as pop/imap server. Now we'd like to also offer a single name for POPS/IMAPS with a non-per-partner-branded name mail.securedomain.com on the same set of servers as the non SSL-version of dovecot is running. This is mostly to avoid needing lots of SSL certificates.
We're afraid that if we enable STARTTLS, many of our existing clients will automatically try using SSL towards the wrong name, and get ugly SSL warnings about certifcate mismatch.
-jf