Aki Tuomi said on Fri, 6 Mar 2026 19:07:38 +0200 (EET)
On 06/03/2026 18:52 EET Steve Litt via dovecot <dovecot@dovecot.org> wrote:
Aki Tuomi via dovecot said on Fri, 6 Mar 2026 11:58:56 +0200 (EET)
On 06/03/2026 01:04 EET Steve Litt via dovecot <dovecot@dovecot.org> wrote:
Hi all,
https://doc.dovecot.org/2.4.2/core/summaries/settings.html , the auth_allow_cleartext section, says "If no, disables the LOGIN command and all other cleartext authentication unless SSL/TLS is used (LOGINDISABLED capability) or the connection is secured (see ssl).
See SSL configuration for more detailed explanation of how this setting interacts with the ssl setting.
This setting replaces the disable_plaintext_auth setting."
I put auth_allow_cleartext = no in my 2.4.2 dovecot.conf, but my Claws-Mail client can still access it, even though there are no key files. I tried putting this setting in several different places: Didn't prevent plain access. I tried switching from 127.0.0.1 to 10.0.2.15, same problem. The following is the output of my dovecot -n command:
Hi, auth_allow_cleartext=no is the default setting.
However, as https://doc.dovecot.org/2.4.2/core/config/ssl.html#secured-connections states, connections from login_trusted_networks or from the host listener itself (in your case 10.0.2.15) are considered trusted, so they are allowed to use plaintext login.
So basically set ssl=required
Thanks Aki,
I've seen no documentation indicating *where* ssl=required should go, and so had to experiment. If I go 2.3x style and put it within imaps:
listen = 10.0.2.15 auth_allow_cleartext = no
The IMAP service declarations
service imap { #Plain text listener at port 143 #inet_listener imap-login { #port = 0 #}
SSL IMAP (imaps) is port 993
inet_listener imaps { #port = 993 ssl = required } }
With the preceding config, the following error occurs:
[root@dovecotvoid dovecot]# dovecot -F doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 29: ssl: Invalid boolean value: required (use yes or no) [root@dovecotvoid dovecot]#
If I move the ssl=required right below auth_allow_cleartext = no, or right below service imap { , then with or without ssl=yes inside inet_listener imaps { , dovecot -F runs, but Dovecot's accessible without SSL.
Let me explain my goal and what I'm doing. My goal is to reject any plain text, non-SSL queries from anyone anywhere, full stop. Basically, what ssl=required inside inet_listener imaps gave us in 2.3x. I'm using a Qemu VM guest to test 2.4.2 config before upgrading my real machine. My immediate next step is to, before even dealing with SSL, to prevent plain text access, regardless of localhost or non-localhost, haproxy or non-haproxy, whatever. Once that's done, I'll begin enabling SSL. For security's sake, I need to *prove* that plain text access fails in all cases.
So, how do I prevent plain text access, full stop?
Thanks,
SteveT
Steve Litt
ssl = required
goes on top level, not inside anything.
If you put it inside inet_listener it's actually https://doc.dovecot.org/2.4.2/core/config/service.html#inet_listener_ssl, so totally different setting.
Aki
That explains it. Thanks Aki.
ssl = required at the top level does not prevent plain text access, however, as shown by both claws-mail and doveadm fetch. What more should I do to prevent all plain text access?
Thanks,
SteveT
Steve Litt