On 19/01/2026 05:51 EET r.barclay--- via dovecot <dovecot@dovecot.org> wrote:
Hi,
I'm setting up a new IMAPS server using Dovecot 2.4 at the moment. I'd like my network internal users to authenticate using GSSAPI. The server is also exposed to the Internet for smart phone email access. I want to offer PLAIN login only for external users as they can't be legitimate internal Kerberos users. (Just as an additional layer of security.)
Would this approach work?
service imap-login { inet_listener imaps_external { port = 1993 ssl = yes auth_mechanisms = plain login } inet_listener imaps_internal { port = 7993 ssl = yes auth_mechanisms = plain login gssapi } }
Then I'd allow only port 1993 externally and keep port 7993 for the LAN.
Thank you for your advice! Reg
Hi,
that unfortunately will not work. You probably get best results by having a backend and two proxies, one for external and one for internal users.
Aki