28 Jun
2009
28 Jun
'09
12:07 a.m.
On Sat, 2009-06-27 at 20:06 +0200, Jean-Noel Chardron wrote:
This is the protocol: the server announces its capability but can not force the use of TLS which is an initiative of the client.
Server can't force clients to do STARTTLS, but it can prevent clients from being able to log in without it. This is what Dovecot does by default, with disable_plaintext_auth=yes. If it's enabled and STARTTLS isn't used and client tries to log in, Dovecot says:
1 login foo bar
- BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. 1 NO [CLIENTBUG] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.