Interesting that your security organization is worried about TLS renegotiation but do not mind people logging in without TLS... =)
You have
disable_plaintext_auth = no
which allows plaintext auth over non-TLS connection. See https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
"ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn’t required to use it. The client is allowed to login with plaintext authentication even when SSL/TLS isn’t enabled on the connection. This is insecure, because the plaintext password is exposed to the internet."
Anyways, back to the TLS renegotiation...
There is no config option in dovecot explicitly to disable this, and unfortunately openssl 1.0.2 does not seem to support system-wide config file to disable Renegotiation in ssl_conf section. With OpenSSL 1.1.1 you can actually edit /etc/pki/tls/openssl.cnf and disable renegotiation, without having to run everything on TLSv1.3.
For users with 1.1 you can use following to disable renegotiation in your distribution specific system-wide openssl.cnf:
[default_conf] ssl_conf = ssl_sect
[ssl_sect] system_default = system_default_sect
[system_default_sect] Options = NoRenegotiation
Aki
On 14/05/2022 11:13 Greg Earle earle@isolar.dyndns.org wrote:
On 13 May 2022, at 19:38, Elisamuel Resto sam@samresto.dev wrote:
I believe this to be a configuration error, not a dovecot problem.
The output of dovecot -n (as an attachment; look it over for any data you do not want publicized) would help to suggest changes to bring you back into compliance.Elisamuel,
I'm not really sure why you think it's a configuration error, but I'll attach the "dovecot -n" output.
Thanks,
- Greg