Am 23.04.2014 10:38, schrieb Benjamin Podszun:
On Tuesday, April 22, 2014 3:31:47 PM CEST, Urban Loesch wrote:
Hi,
Is there a way to set "disable_plaintext_auth" to different values for different Password Databases? Is there another way to do it?
Why do you not force SSL for all users?
I have no idea how this could be made with different databases. I have only build a solution for all users stored in mysql.
I'm able to force SSL for imap and pop3 on a per user basis with e.g.:
... password_query = SELECT password FROM users WHERE userid = '%u' AND allow_login = 'y' AND ( force_ssl = 'y' OR '%c' = 'secured');
Waitasecond. I might be totally off here, but the way I read that query you accept plaintext credentials, unsecured and then check the DB. After which you might say "You're not allowed to log in".
Yes that is correct and I knew that when I configured the setup. But I can't manipulate the clients.
If that is correct every user might send their credentials over unsecured connections?
Yes, that is a disadvantage. As I just said, I can't change that.
In my opinion this doesn't help. Clients cannot know in advance that they shouldn't try to login.
I guess I'd either
- drop the requirement (best option, hit the users that don't support TLS or offer them help to upgrade/fix their setup)
Can you help me to upgrade/fix 40k users, which have no idea how to change the settings of a mail client? Send me your phonenumber and I will redirect all requests of that to you :-)
You will see very quickly that it's not practicable to force all users to use SSL at the same time. With this setup I can bring users step by step to use SSL.
- live with the possibility that the system users are potentially disclosing their credentials.
I have no system users.
Take a step back: A random client connects to dovecot. It didn't log in yet. How would you change the capabilities to reflect 'login without starttls is allowed or not', depending on a username that you cannot know at this point?
I know all usernames as I activate them. So I can control which user must use SSL and which not. I also for example can control which user is forced to use port 587 for sending their email and which not.
My take, ignoring the "There shouldn't be a need for that" quip, is that this is next to impossible. And not worth the challenge.
Ben