Ronald Leach wrote:
Hello, having difficulty setting up a 'secure-only' service on a non-standard port.
Upgraded version on the server to the latest backport available for the server, having saved the conf file. Started from scratch with standard settings. Particularly:
protocol = imap imaps listen = *
Checking wiki1 and wiki2, I think that port 143 can be used for a service in both encrypted and unencrypted operations. (Wiki2 describes how port 143 can be used with or without STARTTLS.)
143 only worked when protocols = imap was present. In this case, Thunderbird (on a Vista client) worked in 'TLS' mode. The log showed authentication using PLAIN, and TLS secured. The wiki implies that TLS provides end to end (client to dovecot) encryption, and (I think) means that the initial username/password exchange is, therefore, also protected. (On the basis that the link protection is built before the authentication sequence is started.)
But I want to force secure working - in some kind of secure-only mode, so that internet-based users can reach the server securely. So I changed the protocols to:
protocol = imaps
with:
disable_plaintext_auth = yes
In this configuration, TB could not connect on 143, but only on 993, *and*, only if TB's SSL option is selected (not its TLS option). This was good, and bad.
Good, because it 'forced' use of a secure connection (assuming that in this mode the connection is *actually* protected end-to-end); the email client asked if Dovecot's certificate should be accepted, so there was certainly some protection going on at some point.
But this was *bad*, I thought, because the wiki suggests http://wiki.dovecot.org/SSL that TLS has replaced SSL, so I am not sure that using SSL is the proper thing to do. Incidentally - almost in a tribute to the wiki article - Dovecot recorded the authentication as TLS.
I think I've disabled insecure access from any client - which is a pity because we have one client application that is not SSL/TLS-capable, as I mentioned before. The Dovecot website also talks about a proxy operation, so I may set up an insecure proxy on our other server, and let that proxy for that one application.
Otherwise, I think it is running securely, which is a good step forward to allow access from the internet.
regards, Ron