Hello, having difficulty setting up a 'secure-only' service on a non-standard port.
Objective is to open a secure Dovecot service on an internet-visible port, while also using an insecure service for hosts on an internal network (so that one particular client which is not SSL/TLS-capable can continue to use the service).
Checking wiki1 and wiki2, I think that port 143 can be used for a service in both encrypted and unencrypted operations. (Wiki2 describes how port 143 can be used with or without STARTTLS.) I've managed to run both TB/Vista, and KMail/Debian on 143 from local machines, and they seem to work fine. (Though they do only work if the clients are set to use 'unencrypted logins' such as KMail's 'clear text' setting, and TB's 'don't use secure authentication'.) Dovecot's SSL certificate on the server expires in 2028.
But I cannot get my 'secure-only service' working at all. I've chosen port 10943 for that service, and have been testing from both KMail on the server, and TB/Vista on another local machine.
Here's the config:
protocol imap {
# inet users, and also users presented from offsite via an SSH tunnel, # will use IMAP (any capability) on 143. listen = *:143 # 143 will not be reachable from outside the internal network (except # via an SSH tunnel) # # External users will be allowed only to use port 10943 (as forwarded # from the gateway), and will have to use SSL ssl_listen = *:10943 }
Other settings include:
#other settings protocols = imap imaps disable_plaintext_auth = no ssl_disable = no ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem ssl_verify_client_cert = no ssl_cipher_list = ALL:!LOW ssl_require_client_cert = no ssl_username_from_cert = no mail_location = maildir:~/Maildir
#log and debug settings mail_debug = yes auth_debug = yes
Log from a successful session on port 143:
Logs (using port 143, KMail on the server)
14:43:22 auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=127.0.0.1^Irip=127.0.0.1^Iresp=<hidden>
14:43:22 auth(default): client out: OK^I1^Iuser=ron
14:43:22 auth(default): master in: REQUEST^I1^I4057^I1
14:43:22 auth(default): master out: USER^I1^Iron^Isystem_user=ron^Iuid=1001^Igid=1001^Ihome=/home/ron
14:43:22 IMAP(ron): Effective uid=1001, gid=1001
14:43:22 IMAP(ron): maildir: data=/home/ron/Maildir
14:43:22 IMAP(ron): maildir: root=/home/ron/Maildir, index=/home/ron/Maildir, control=, inbox=
14:43:22 imap-login: Login: user=<ron>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS
Unsuccessful session
Logs (using 10943, KMail on the server) - absolutely no sign of any authentication, and the client reports a timeout.
17:03:30 imap-login: Disconnected: Inactivity: rip=127.0.0.1, lip=127.0.0.1, TLS handshake
17:04:06 imap-login: Disconnected: rip=127.0.0.1, lip=127.0.0.1, TLS handshake
17:05:08 imap-login: Disconnected: Inactivity: rip=127.0.0.1, lip=127.0.0.1, TLS handshake
143 works fine, so Dovecot is (of course) perfectly good at managing the auth and service, so I must have something wrong in the config. I cannot see it. Could anyone share a config they've used for *secure-only* IMAP service on an internet-visible port? I'd like to compare the settings.
regards, Ron