On 21/02/2026 17:39, Steve Litt via dovecot wrote:
Hi all, ...
For the time being, I don't need to access my Dovecot IMAP from any computer except my DDD, and therefore, I can serve Dovecot IMAP on 127.0.0.1.
So here's my question. Assuming (and I know this is a big assumption) I'm not worried about somebody gaining physical possession of my DDD, is there any reason not to use plain text to access this server?
Thanks,
SteveT
Steve Litt http://444domains.com
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Steve
I am assuming that by "use plain text" you mean that you will use an unencrypted connection over 127.0.0.1 port 143 rather than you're intending to authenticate by plain text.
In general I do encrypt connections over localhost where possible, but it's just to be on the safe side. Having said that I think I have some things which are not encrypted, like the comunication between amavis and postfix, so I have accepted whatever risk there is in having unencrypted connnections in some cases.
If your DDD is connected to the network as I understood, then the risk is that someone will gain unauthorized access to it and will be able to access traffic over the loopback interface, even if the level of access they gained wasn't sufficient to access the email files. Of course if this potential attacker gained sufficient access, they could just read the files without having to sniff loopback traffic.
I suppose it boils down to how sure you are that your DDD is protected from unauthorized access and that encrypting the loopback traffic does mitigate something but does not help in all cases of unauthorized access.
Having said that I have seen cases of unauthorized access from the internet to what was supposed to be a PC exposed only on the internal network. This happened due to an ipv6 address which was not properly firewalled and was therefore visible externally. However, in the case I saw, the PC was totally compromised and encrypting loopback traffic would not have mitigated anything.
John