Auth is and has been set to:
auth_mechanisms = plain login gssapi cram-md5
I also tried plain and login by themselves individually with no change in outcome. The above is reflected in the attached doveconf generated file.
I added the below config "log_debug=category=auth" but didn't see anything in dovecot logs so I enabled SQL query logging (MariaDB) and can verify that a telnet session is logged during authentication but not Outlook. The obvious question seems to be "how does Outlook access IMAP without authenticating"??? Clearly, there is something I'm missing. Re: windows 11 Outlook: It is verified with ngrep that Outlook is accessing the dovecot host directly. There are no other mail clients that access this mail host and no other client has access as the firewall is filtered on the public IP address of the client. I also see traffic on outbound email with no sign of authentication in SQL.
Now if there was a way to enable unencrypted IMAP it would solve the problem for me.
David
On 4/23/26 9:18 AM, Aki Tuomi via dovecot wrote:
Outlook is bit picky about logging in. do you have auth_mechanisms = PLAIN LOGIN set? Also these days they come from some redmond proxy, if this is the new outlook from windows 11.
You can also do
log_debug=category=auth
to see if outlook even tries to log in.
Aki
On 23/04/2026 18:58 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Well, not so fast. It only captures the localhost telnet session, not the remote Outlook IMAP access. It is completely silent on that. Now what? David
On 4/23/26 8:37 AM, David Koski via dovecot wrote:
Excellent. That did it, thanks! David
On 4/22/26 10:40 PM, Aki Tuomi via dovecot wrote:
Use post-login rawlogs.
rawlog_dir = %{home}/rawlogs
then make the rawlogs directory with mode 0777, and when you want to stop rawlogging, either remove the directory, or make it unwritable to dovecot mail process.
Aki
On 23/04/2026 02:51 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Hello,
I am able to get Pre-login Rawlog to log to /var/run/dovecot/login/rawlogs as per:
https://doc.dovecot.org/2.4.3/core/admin/rawlog.html
But this only works with a telnet session locally. Outlook does nothing. I can see the encrypted traffic in ngrep, however. Nothing is logged to the rawlog using Outlook, only with telnet.
Also, it logs no IMAP commands after login. Note that this telnet session is local so it allows plain text. The section "rawlog Binary" says rawlog_dir is preferred??? Not sure how it will allow me to log IMAP commands other than pre-login. But I gave it a shot and got no output to %{home}/rawlog in spite of creating the directory. No error seen in any dovecot log with debugging enabled. No indication of a problem with journalctl. I tried to remove the "-R" from "exectuable = imap-login -R rawlogs" with no discernible change in outcome. I see this option document nowhere and it seems superfluous.
Also note that in the "Pre-login Rawlog" section it says: "SSL/TLS sessions are currently not decrypted to rawlogs". It seems ambiguous as it implies no logging is decrypted.
All I really want to do is see the IMAP commands when accessing dovecot from a host not on the local network to troubleshoot Outlook interactions with dovecot. I have no option for having Outlook on the same network as dovecot with this deployment. ngrep would be great if only dovecot would allow unencrypted IMAP.
Regards, David Koski dkoski@sutinen.com
David Koski dkoski@sutinen.com
On 4/21/26 1:10 AM, David via dovecot wrote:
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir
Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote:
Hello,
In spite of:
ssl = no auth_allow_cleartext = yes
..in a telnet session, I get:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@[4]zample.com <super-secret> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders.
Regards, David Koski dkoski@[5]sutinen.com
_______________________________________________ dovecot mailing list -- dovecot@[6]dovecot.org To unsubscribe send an email to dovecot-leave@[7]dovecot.org
References
Visible links 1. https://doc.dovecot.org/2.4.3/core/admin/rawlog.html 2. https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir 3. http://dovecot.org/ 4. http://zample.com/ 5. http://sutinen.com/ 6. http://dovecot.org/ 7. http://dovecot.org/
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org