Re: [Dovecot] Using plaintext auth and SSL
On Monday, March 19, 2012 04:16:46 pm you wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct?
I only have SSL or TLS connections enabled and I only have one copy of Dovecot running.
Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
-- Jeff Simmons jsimmons@goblin.punk.net Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult
On 3/19/2012 4:37 PM, Jeff Simmons wrote:
On Monday, March 19, 2012 04:16:46 pm you wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct?
I only have SSL or TLS connections enabled and I only have one copy of Dovecot running.
Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
I'm pretty sure if you set disable_plain_text_auth = no that you can log in to the appropriate ports with SSL or without.
Sorry I sent the first reply to you, wasn't paying attention.
--
Knute Johnson
On 20/03/2012 01:37, Jeff Simmons wrote:
On Monday, March 19, 2012 04:16:46 pm you wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct?
I only have SSL or TLS connections enabled and I only have one copy of Dovecot running.
Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
there is no connection between the plaintext auth to the ssl\tls layer. you can just change the in the service section of the 10-master.conf file of the imap to no imap at all and use only imaps listener with port for your choose such as 143 or 993 and you will have a only imap over ssl.
Regards, Eliezer
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations elilezer <at> ngtech.co.il
On 20/03/2012 02:16, Eliezer Croitoru wrote:
On 20/03/2012 01:37, Jeff Simmons wrote:
On Monday, March 19, 2012 04:16:46 pm you wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct?
I only have SSL or TLS connections enabled and I only have one copy of Dovecot running.
Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
there is no connection between the plaintext auth to the ssl\tls layer. you can just change the in the service section of the 10-master.conf file of the imap to no imap at all and use only imaps listener with port for your choose such as 143 or 993 and you will have a only imap over ssl. one mistake, change the imap service to port 0 and port 143 will be disabled with regular imap service
Regards, Eliezer
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations elilezer <at> ngtech.co.il
Am 20.03.2012 01:16, schrieb Eliezer Croitoru:
On 20/03/2012 01:37, Jeff Simmons wrote:
On Monday, March 19, 2012 04:16:46 pm you wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct?
I only have SSL or TLS connections enabled and I only have one copy of Dovecot running.
Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
there is no connection between the plaintext auth to the ssl\tls layer. you can just change the in the service section of the 10-master.conf file of the imap to no imap at all and use only imaps listener with port for your choose such as 143 or 993 and you will have a only imap over ssl.
Because it is going to drive me insane if I don't ask: Is there really no way to archive this with a modern (aka. STARTTLS based) IMAP setup?
On 03/19/2012 07:37 PM, Jeff Simmons wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct? I only have SSL or TLS connections enabled and I only have one copy of Dovecot running. Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration
On Monday, March 19, 2012 04:16:46 pm you wrote: directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
This is all you have to do:
protocol imap { ssl=required }
See: http://wiki2.dovecot.org/SSL
Globally, you can leave disable_plaintext_auth = no, and leave protocol pop3 {} alone.
Your clients will be able to log in to pop3 with any authentication mechanism you have enabled, and imap will be accessible only with SSL/TLS, either over port 143 with STARTTLS or over port 993 with implicit SSL.
I actually took the trouble to verify this on my local server before posting, and it turns out the wiki didn't lie.
On 03/19/2012 07:37 PM, Jeff Simmons wrote:
On 3/19/2012 4:04 PM, Jeff Simmons wrote:
I'm working with a company that presently has a Linux mailserver which all users have (no shell) accounts on. Mail is accessed via pop3 with plaintext authentication. They want to move to a system using imap with SSL. I'm building them a new server. I'd like to offer both for a while so we can work the bugs out and migrate users over to SSL imap over time. It appears that in order to limit the imap connections to SSL I will need to run two separate instances of Dovecot. Is this correct? I only have SSL or TLS connections enabled and I only have one copy of Dovecot running. Let me rephrase that. I want to run plaintext authentication pop3 and ssl/tls only authentication imap. The 'allow plaintext authentication' configuration
On Monday, March 19, 2012 04:16:46 pm you wrote: directive appears to be global, meaning I will need to run two instances of dovecot for a while. Is that correct, or can this be done on a single instance of dovecot?
Turns out you can also use the disable_plaintext_auth = yes directive under protocol imap {}, but as noted by others previously, this is related specifically to plaintext authentication methods, and is not the same as requiring SSL/TLS for the entire session. If my understanding is correct, disable_plaintext_auth means your clients can authenticate with non-plaintext e.g. with CRAM-MD5 and proceed with an unsecured session.
participants (5)
-
Eliezer Croitoru
-
Florian Zeitz
-
Gedalya
-
Jeff Simmons
-
Knute Johnson