[Dovecot] Requiring STARTTLS only on some networks
Hello Timo,
is there a way, either in 1.2.x or in 2.x to activate
disable_plaintext_auth=yes
only for some address or network ?
The idea would be to enable clients from the internal networks to keep making clear text connections while forbidding it to the rest of the world.
Thanks.
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On 05/07/2010 02:00 PM Thomas Hummel wrote:
Hello Timo,
is there a way, either in 1.2.x or in 2.x to activate
disable_plaintext_auth=yes
only for some address or network ?
The idea would be to enable clients from the internal networks to keep making clear text connections while forbidding it to the rest of the world.
Thanks.
By default "disable_plaintext_auth = yes" is set, in all Dovecot versions. With Dovecot v2.0 you can put something like the following in your dovecot.conf:
remote 192.168.111.0/24 { disable_plaintext_auth = no } remote fdfd:ffff:dddd::0/48 { disable_plaintext_auth = no }
Testing the settings:
~ # doveconf disable_plaintext_auth disable_plaintext_auth = yes ~ # doveconf -f rip=192.168.0.1 disable_plaintext_auth disable_plaintext_auth = yes ~ # doveconf -f rip=fdfd:ffff:dddd::abcd disable_plaintext_auth disable_plaintext_auth = no ~ # doveconf -f rip=192.168.111.234 disable_plaintext_auth disable_plaintext_auth = no
The dovecot.conf for v2.0 contains also: # Space separated list of trusted network ranges. Connections from these # IPs are allowed to override their IP addresses and ports (for logging and # for authentication checks). disable_plaintext_auth is also ignored for # these networks. Typically you'd specify your IMAP proxy servers here. #login_trusted_networks =
Regards, Pascal
The trapper recommends today: 5e1f1e55.1012716@localdomain.org
On Fri, May 7, 2010 at 10:26, Pascal Volk < user+dovecot@localhost.localdomain.orguser%2Bdovecot@localhost.localdomain.org
wrote:
By default "disable_plaintext_auth = yes" is set, in all Dovecot versions. With Dovecot v2.0 you can put something like the following in your dovecot.conf:
remote 192.168.111.0/24 { disable_plaintext_auth = no } remote fdfd:ffff:dddd::0/48 { disable_plaintext_auth = no }
Do these "remote sections" need to be in a specific place in the config file, or can they just be put where the (global) disable_plaintext_auth is located?
Do you know if the remote address gets passed from Postfix on to Dovecot through the authentication connection (when Dovecot is doing the authentication for Postfix mail submission) so that these same remote rules apply?
On 05/07/2010 04:35 PM Phil Howard wrote:
Do these "remote sections" need to be in a specific place in the config file, or can they just be put where the (global) disable_plaintext_auth is located?
The latter one, where the global disable_plaintext_auth is located,
Do you know if the remote address gets passed from Postfix on to Dovecot through the authentication connection (when Dovecot is doing the authentication for Postfix mail submission) so that these same remote rules apply?
Hm, doesn't look so, as if Postfix would forward this info (remote host) to Dovecot. Even when I connect from a 'disable_plaintext_auth = no network' to Postfix (2.6.5), Postfix offers: 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5
But the SSL/TLS state should be forwarded from Postfix to Dovecot: http://www.mail-archive.com/postfix-users@postfix.org/msg10590.html
Regards, Pascal
The trapper recommends today: 5e1f1e55.1012716@localdomain.org
On Fri, May 7, 2010 at 11:07, Pascal Volk < user+dovecot@localhost.localdomain.orguser%2Bdovecot@localhost.localdomain.org
wrote:
On 05/07/2010 04:35 PM Phil Howard wrote:
Do you know if the remote address gets passed from Postfix on to Dovecot through the authentication connection (when Dovecot is doing the authentication for Postfix mail submission) so that these same remote rules apply?
Hm, doesn't look so, as if Postfix would forward this info (remote host) to Dovecot. Even when I connect from a 'disable_plaintext_auth = no network' to Postfix (2.6.5), Postfix offers: 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5
But the SSL/TLS state should be forwarded from Postfix to Dovecot: http://www.mail-archive.com/postfix-users@postfix.org/msg10590.html
Then I guess I will need to still run a separate always-SSL/TLS submission port (e.g. 587). I can easily restrict which ports can be reached by which address ranges on the firewall. But I can't (on the firewall) force use of STARTTLS (which http://wiki.dovecot.org/SSL seems to be encouraging the use of).
At least with IMAP and POP I can just use the one port (each ... 143 and 110) and force STARTTLS on untrusted addresses.
On Fri, May 07, 2010 at 04:26:47PM +0200, Pascal Volk wrote:
With Dovecot v2.0 you can put something like the following in your dovecot.conf:
remote 192.168.111.0/24 { disable_plaintext_auth = no } remote fdfd:ffff:dddd::0/48 { disable_plaintext_auth = no }
Thanks. I have to look further in what is allowed to go into those sections. But in the case of disabling/enabling STARTTLS, this is indeed what I need.
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On 05/07/2010 04:36 PM Thomas Hummel wrote:
On Fri, May 07, 2010 at 04:26:47PM +0200, Pascal Volk wrote:
remote 192.168.111.0/24 { disable_plaintext_auth = no } remote fdfd:ffff:dddd::0/48 { disable_plaintext_auth = no }
Thanks. I have to look further in what is allowed to go into those sections. But in the case of disabling/enabling STARTTLS, this is indeed what I need.
remote 192.168.111.0/24 { disable_plaintext_auth = no ssl = no }
~ # doveconf -f rip=192.168.111.234 ssl ssl = no ~ # doveconf ssl ssl = yes
Regards, Pascal
The trapper recommends today: 5e1f1e55.1012716@localdomain.org
participants (3)
-
Pascal Volk
-
Phil Howard
-
Thomas Hummel