On 03/19/2012 07:37 PM, Jeff Simmons wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct? I only have SSL or TLS connections enabled and I only have one copy of Dovecot running. Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration
On Monday, March 19, 2012 04:16:46 pm you wrote: directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
Turns out you can also use the disable_plaintext_auth = yes directive under protocol imap {}, but as noted by others previously, this is related specifically to plaintext authentication methods, and is not the same as requiring SSL/TLS for the entire session. If my understanding is correct, disable_plaintext_auth means your clients can authenticate with non-plaintext e.g. with CRAM-MD5 and proceed with an unsecured session.