Aki Tuomi said on Fri, 6 Mar 2026 19:34:48 +0200 (EET)
On 06/03/2026 19:23 EET Steve Litt via dovecot <dovecot@dovecot.org> wrote:
That explains it. Thanks Aki.
ssl = required at the top level does not prevent plain text access, however, as shown by both claws-mail and doveadm fetch. What more should I do to prevent all plain text access?
Thanks,
SteveT
Steve Litt
Apologies, I read the documentation wrong and it fooled me.
"Localhost connections are secured by default, but they are not trusted by default. If you want localhost to be trusted, it needs to be included in this setting."
I guess the easiest way is to do
service imap-login { inet_listener imap { port = 0 } }
service pop3-login { inet_listener pop3 { port = 0 } }
Note that the listeners are on *login* processes (except for lmtp). This has not changed since 2.2.
Thanks Aki! The preceding sentence is the key to everything. When I
changed the outer service imap { to service imap-login { ,
everything worked as expected, I did not get duplicate port errors when
specifying a default port, and I was able to toggle ability and
inability to access via plain text by goggling port= between 143 and 0.
I'll tell all my friends about this key distinction that listeners are
on *login* processes, which of course makes perfect sense from a
sockets point of view.
Unfortunately, a lot of web lookups and AI suggest the outer service imap rather than service imap-login, and I ended up with imap
instead of imap-login. I'll now insert warning comments about this in
my config file.
Thanks,
SteveT
Steve Litt