I just found the solution by coincidence.
It appears there is a configuration file named: /etc/dovecot/conf.d/10-ssl.conf
In that file the following line was active ssl = required That setting apparently overrides what disable_plaintext_auth has to say.
After commenting out the ssl=required entry everything works as expected :-)
Regards, Mikkel
Den 14/06/12 10.14, Mikkel skrev:
Hello
In my installation the disable_plaintext_auth does not appear to take effect. I can see that the value is correct using doveconf -a but it doesn't change anything.
Whenever attempting to log in using IMAP I get this:
- BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. ls NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
POP3 login attempts give this error: -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections
Besides adding disable_plaintext_auth=no to dovecot.conf I also tried adding it specifically to the imap section. I also tried to invoke it just for certain networks, like this:
remote 0.0.0.0 { disable_plaintext_auth = no }
But none of this takes any effect either. Adding the testing network as trusted networks is working fine removing the error. But I would rather not add the whole internet to the trusted network section just to allow plain text logins in imap.
I'm in the process of migrating form 1.1 to 2.1 so this configuration is for testing things out and is mainly based on the default configuration files comming with the centos installation. I should add that everything else in this setup is working fine.
I did many searches for information on this topic but nothing I could find apply to my case.
I'm sorry to post such a long conf but I'm not sure what parts I could have safely omitted. Here goes:
# doveconf -a # 2.1.1: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-220.17.1.el6.x86_64 x86_64 CentOS release 6.2 (Final) auth_anonymous_username = anonymous auth_cache_negative_ttl = 2 mins auth_cache_size = 0 auth_cache_ttl = 2 mins auth_debug = no auth_debug_passwords = no auth_default_realm = plain auth_failure_delay = 2 secs auth_first_valid_uid = 500 auth_gssapi_hostname = auth_krb5_keytab = auth_last_valid_uid = 0 auth_master_user_separator = auth_mechanisms = plain auth_realms = plain login digest-md5 cram-md5 apop ntlm auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_use_winbind = no auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_username_format = %Lu auth_username_translation = auth_verbose = no auth_verbose_passwords = no auth_winbind_helper_path = /usr/bin/ntlm_auth auth_worker_max_count = 30 base_dir = /var/run/dovecot config_cache_size = 1 M debug_log_path = default_client_limit = 1000 default_idle_kill = 1 mins default_internal_user = dovecot default_login_user = dovenull default_process_limit = 100 default_vsz_limit = 256 M deliver_log_format = msgid=%m: %$ dict_db_config = director_doveadm_port = 0 director_mail_servers = director_servers = director_user_expire = 15 mins disable_plaintext_auth = no dotlock_use_excl = no doveadm_allowed_commands = doveadm_password = doveadm_proxy_port = 0 doveadm_socket_path = doveadm-server doveadm_worker_count = 0 dsync_alt_char = _ first_valid_gid = 1 first_valid_uid = 105 hostname = usrmta01.talkactive.net imap_capability = imap_client_workarounds = imap_id_log = imap_id_send = imap_idle_notify_interval = 2 mins imap_logout_format = in=%i out=%o imap_max_line_length = 64 k imapc_host = imapc_master_user = imapc_password = imapc_port = 143 imapc_rawlog_dir = imapc_ssl = no imapc_ssl_ca_dir = imapc_ssl_verify = yes imapc_user = %u import_environment = TZ info_log_path = /var/log/dovecot/dovecot.run instance_name = dovecot last_valid_gid = 0 last_valid_uid = 0 lda_mailbox_autocreate = no lda_mailbox_autosubscribe = no lda_original_recipient_header = libexec_dir = /usr/libexec/dovecot listen = *, :: lmtp_proxy = no lmtp_save_to_detail_mailbox = no lock_method = fcntl log_path = /var/log/dovecot/dovecot.err log_timestamp = "%b %d %H:%M:%S " login_access_sockets = login_greeting = Dovecot ready. login_log_format = %$: %s login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c login_trusted_networks = mail_access_groups = mail_attachment_dir = mail_attachment_fs = sis posix mail_attachment_hash = %{sha1} mail_attachment_min_size = 128 k mail_cache_fields = flags mail_cache_min_mail_count = 0 mail_chroot = mail_debug = no mail_fsync = always mail_full_filesystem_access = no mail_gid = mail_home = mail_location = mail_log_prefix = "%s(%u): " mail_max_keyword_length = 50 mail_max_lock_timeout = 0 mail_max_userip_connections = 10 mail_never_cache_fields = imap.envelope mail_nfs_index = yes mail_nfs_storage = yes mail_plugin_dir = /usr/lib64/dovecot mail_plugins = quota mail_prefetch_count = 0 mail_privileged_group = mail_save_crlf = no mail_temp_dir = /tmp mail_uid = mailbox_idle_check_interval = 30 secs mailbox_list_index = no maildir_broken_filename_sizes = no maildir_copy_with_hardlinks = yes maildir_stat_dirs = no maildir_very_dirty_syncs = no master_user_separator = mbox_dirty_syncs = yes mbox_dotlock_change_timeout = 2 mins mbox_lazy_writes = yes mbox_lock_timeout = 5 mins mbox_md5 = apop3d mbox_min_index_size = 0 mbox_read_locks = fcntl mbox_very_dirty_syncs = no mbox_write_locks = fcntl mdbox_preallocate_space = no mdbox_rotate_interval = 0 mdbox_rotate_size = 2 M mmap_disable = yes namespace inbox { hidden = no ignore_on_failure = no inbox = yes list = yes location = mailbox Drafts { auto = no special_use = \Drafts } mailbox Junk { auto = no special_use = \Junk } mailbox Sent { auto = no special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Trash { auto = no special_use = \Trash } prefix = separator = subscriptions = yes type = private } passdb { args = /local/config/dovecot-sql.conf default_fields = deny = no driver = sql master = no override_fields = pass = no } plugin { quota = maildir quota_rule2 = Trash:storage=+10M:messages=+100 quota_warning = storage=80%% /local/scripts/quota-warning.sh 80 sieve_extensions = +imapflags +notify trash = /local/config/dovecot-trash.conf } pop3_client_workarounds = pop3_enable_last = no pop3_fast_size_lookups = no pop3_lock_session = no pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_no_flag_updates = no pop3_reuse_xuidl = no pop3_save_uidl = no pop3_uidl_format = %08Xu%08Xv pop3c_host = pop3c_password = pop3c_port = 110 pop3c_rawlog_dir = pop3c_ssl = no pop3c_ssl_ca_dir = pop3c_ssl_verify = yes pop3c_user = %u postmaster_address = protocols = imap pop3 lmtp quota_full_tempfail = no recipient_delimiter = + rejection_reason = Your message to <%t> was automatically rejected:%n%r rejection_subject = Rejected: %s sendmail_path = /usr/sbin/sendmail service anvil { chroot = empty client_limit = 0 drop_priv_before_exec = no executable = anvil extra_groups = group = idle_kill = 4294967295 secs privileged_group = process_limit = 1 process_min_avail = 1 protocol = service_count = 0 type = anvil unix_listener anvil-auth-penalty { group = mode = 0600 user = } unix_listener anvil { group = mode = 0600 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } service auth-worker { chroot = client_limit = 1 drop_priv_before_exec = no executable = auth -w extra_groups = group = idle_kill = 0 privileged_group = process_limit = 0 process_min_avail = 0 protocol = service_count = 1 type = unix_listener auth-worker { group = mode = 0600 user = $default_internal_user } user = $default_internal_user vsz_limit = 18446744073709551615 B } service auth { chroot = client_limit = 0 drop_priv_before_exec = no executable = auth extra_groups = group = idle_kill = 0 privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener /var/spool/postfix/private/auth { group = mode = 0666 user = } unix_listener auth-client { group = mode = 0600 user = } unix_listener auth-login { group = mode = 0600 user = $default_internal_user } unix_listener auth-master { group = mode = 0600 user = } unix_listener auth-userdb { group = mode = 0666 user = } unix_listener login/login { group = mode = 0666 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } service config { chroot = client_limit = 0 drop_priv_before_exec = no executable = config extra_groups = group = idle_kill = 0 privileged_group = process_limit = 0 process_min_avail = 0 protocol = service_count = 0 type = config unix_listener config { group = mode = 0600 user = } user = vsz_limit = 18446744073709551615 B } service dict { chroot = client_limit = 1 drop_priv_before_exec = no executable = dict extra_groups = group = idle_kill = 0 privileged_group = process_limit = 0 process_min_avail = 0 protocol = service_count = 0 type = unix_listener dict { group = mode = 0600 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } service director { chroot = . client_limit = 0 drop_priv_before_exec = no executable = director extra_groups = fifo_listener login/proxy-notify { group = mode = 00 user = } group = idle_kill = 4294967295 secs inet_listener { address = port = 0 ssl = no } privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener director-admin { group = mode = 0600 user = } unix_listener director-userdb { group = mode = 0600 user = } unix_listener login/director { group = mode = 00 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } service dns_client { chroot = client_limit = 1 drop_priv_before_exec = no executable = dns-client extra_groups = group = idle_kill = 0 privileged_group = process_limit = 0 process_min_avail = 0 protocol = service_count = 0 type = unix_listener dns-client { group = mode = 0666 user = } unix_listener login/dns-client { group = mode = 0666 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } service doveadm { chroot = client_limit = 1 drop_priv_before_exec = no executable = doveadm-server extra_groups = group = idle_kill = 0 privileged_group = process_limit = 0 process_min_avail = 0 protocol = service_count = 1 type = unix_listener doveadm-server { group = mode = 0600 user = } user = vsz_limit = 18446744073709551615 B } service imap-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = imap-login extra_groups = group = idle_kill = 0 inet_listener imap { address = port = 143 ssl = no } inet_listener imaps { address = port = 993 ssl = yes } privileged_group = process_limit = 0 process_min_avail = 0 protocol = imap service_count = 0 type = login user = $default_login_user vsz_limit = 256 M } service imap { chroot = client_limit = 1 drop_priv_before_exec = no executable = imap extra_groups = group = idle_kill = 0 privileged_group = process_limit = 1024 process_min_avail = 0 protocol = imap service_count = 1 type = unix_listener login/imap { group = mode = 0666 user = } user = vsz_limit = 256 M } service indexer-worker { chroot = client_limit = 1 drop_priv_before_exec = no executable = indexer-worker extra_groups = group = idle_kill = 0 privileged_group = process_limit = 10 process_min_avail = 0 protocol = service_count = 0 type = unix_listener indexer-worker { group = mode = 0600 user = $default_internal_user } user = vsz_limit = 18446744073709551615 B } service indexer { chroot = client_limit = 0 drop_priv_before_exec = no executable = indexer extra_groups = group = idle_kill = 0 privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener indexer { group = mode = 0666 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } service ipc { chroot = empty client_limit = 0 drop_priv_before_exec = no executable = ipc extra_groups = group = idle_kill = 0 privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener ipc { group = mode = 0600 user = } unix_listener login/ipc-proxy { group = mode = 0600 user = $default_login_user } user = $default_internal_user vsz_limit = 18446744073709551615 B } service lmtp { chroot = client_limit = 1 drop_priv_before_exec = no executable = lmtp extra_groups = group = idle_kill = 0 privileged_group = process_limit = 0 process_min_avail = 0 protocol = lmtp service_count = 0 type = unix_listener lmtp { group = mode = 0666 user = } user = vsz_limit = 18446744073709551615 B } service log { chroot = client_limit = 0 drop_priv_before_exec = no executable = log extra_groups = group = idle_kill = 4294967295 secs privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = log unix_listener log-errors { group = mode = 0600 user = } user = vsz_limit = 18446744073709551615 B } service pop3-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = pop3-login extra_groups = group = idle_kill = 0 inet_listener pop3 { address = port = 110 ssl = no } inet_listener pop3s { address = port = 995 ssl = yes } privileged_group = process_limit = 0 process_min_avail = 0 protocol = pop3 service_count = 1 type = login user = $default_login_user vsz_limit = 18446744073709551615 B } service pop3 { chroot = client_limit = 1 drop_priv_before_exec = no executable = pop3 extra_groups = group = idle_kill = 0 privileged_group = process_limit = 1024 process_min_avail = 0 protocol = pop3 service_count = 1 type = unix_listener login/pop3 { group = mode = 0666 user = } user = vsz_limit = 18446744073709551615 B } service ssl-params { chroot = client_limit = 0 drop_priv_before_exec = no executable = ssl-params extra_groups = group = idle_kill = 0 privileged_group = process_limit = 0 process_min_avail = 0 protocol = service_count = 0 type = startup unix_listener login/ssl-params { group = mode = 0666 user = } user = vsz_limit = 18446744073709551615 B } service stats { chroot = empty client_limit = 0 drop_priv_before_exec = no executable = stats extra_groups = fifo_listener stats-mail { group = mode = 0600 user = } group = idle_kill = 4294967295 secs privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener stats { group = mode = 0600 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } shutdown_clients = yes ssl = required ssl_ca = ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_cert_username_field = commonName ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_key = </etc/pki/dovecot/private/dovecot.pem ssl_key_password = ssl_parameters_regenerate = 1 weeks ssl_protocols = !SSLv2 ssl_verify_client_cert = no stats_command_min_time = 1 mins stats_domain_min_time = 12 hours stats_ip_min_time = 12 hours stats_memory_limit = 16 M stats_session_min_time = 15 mins stats_user_min_time = 1 hours submission_host = syslog_facility = mail userdb { args = default_fields = driver = prefetch override_fields = } userdb { args = /local/config/dovecot-sql.conf default_fields = driver = sql override_fields = } valid_chroot_dirs = verbose_proctitle = no verbose_ssl = no version_ignore = no protocol lda { mail_plugins = quota quota sieve trash } protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags imap_logout_format = bytes=%i/%o mail_plugins = quota quota imap_quota trash } protocol pop3 { mail_plugins = quota quota pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_uidl_format = %08Xu%08Xv }
Regards, Mikkel