[Dovecot] Encrypted IMAP only from Internet, unencrypted POP3 from internal network
Hi,
we have following situation: I migrated our company mailserver from POP3 only to dovecot with IMAP and POP. We need to have unencrypted POP3 from our internal network, and the subnet our mailserver is in.
Additionally, we now want to allow encrypted IMAP from the internet (for some defined accounts), preferably with TLS (which means I open Port 143 in our firewall).
Now, how can I achieve that they can't use unencrypted plaintext authentication from Internet, while I allow unencrypted POP3 from the mailserver and private network? (I can require using encryption for IMAP from our internal net, but I must have unencrypted POP3 as we use software that retrieves mail via POP3 that doesn't support encryption).
My idea was: limit them to use encryption
- use disable_plaintext_auth for IMAP only
- use disable_plaintext_auth for internet, but not our networks
- allow connection from the internet only for certain accounts, and
Internet access for POP3 is not necessary. Is any of this possible with dovecot? Or another way to achieve my goal? Non-plaintext authentication is not possible, as we use linux system accounts with shadow passwords.
TIA Rainer Frey
-- Software Development
Inxmail GmbH
On Mon, 2006-05-08 at 02:51, Rainer Frey wrote:
Additionally, we now want to allow encrypted IMAP from the internet (for some defined accounts), preferably with TLS (which means I open Port 143 in our firewall).
Keep in mind that you can't keep the users from sending plain text passwords. All you can do on the server side is make it not work when they do - but that doesn't mean they'll stop doing it. You might be better off using imaps on port 993. Also, I've found encrypted pop to be handy for some devices that don't do imap (like my sprint treo phone).
-- Les Mikesell lesmikesell@gmail.com
On Monday 08 May 2006 15:02, Les Mikesell wrote:
On Mon, 2006-05-08 at 02:51, Rainer Frey wrote:
Additionally, we now want to allow encrypted IMAP from the internet (for some defined accounts), preferably with TLS (which means I open Port 143 in our firewall).
Keep in mind that you can't keep the users from sending plain text passwords. All you can do on the server side is make it not work when they do - but that doesn't mean they'll stop doing it. You might be better off using imaps on port 993.
Phew - good point. I just checked with a test installation and KMail an Thunderbird. KMAil and Thunderbird 1.0.8 both ask for CAPABILITY, Dovecot sends (among others) LOGINDISABLED, and both send a login command with cleartext password nontheless. Thunderbird 1.5 does not try this, it sends logout after it retrieves the LOGINDISABLED capability.
Well, I guess I'll open Port 993 only then.
Rainer
Software Development
Inxmail GmbH Kaiser-Joseph-Str. 274, 79098 Freiburg, Germany
On Mon, 2006-05-08 at 16:34 +0200, Rainer Frey wrote:
Phew - good point. I just checked with a test installation and KMail an Thunderbird. KMAil and Thunderbird 1.0.8 both ask for CAPABILITY, Dovecot sends (among others) LOGINDISABLED, and both send a login command with cleartext password nontheless.
Reporting it as a kmail bug could be a good idea..
Thunderbird 1.5 does not try this, it sends logout after it retrieves the LOGINDISABLED capability.
But then again Thunderbird 1.5 can't understand that after STARTTLS the LOGINDISABLED capability isn't there anymore..
On Monday 08 May 2006 16:50, Timo Sirainen wrote:
On Mon, 2006-05-08 at 16:34 +0200, Rainer Frey wrote:
Phew - good point. I just checked with a test installation and KMail an Thunderbird. KMAil and Thunderbird 1.0.8 both ask for CAPABILITY, Dovecot sends (among others) LOGINDISABLED, and both send a login command with cleartext password nontheless.
Reporting it as a kmail bug could be a good idea..
I'll do that.
Thunderbird 1.5 does not try this, it sends logout after it retrieves the LOGINDISABLED capability.
But then again Thunderbird 1.5 can't understand that after STARTTLS the LOGINDISABLED capability isn't there anymore..
Argh!!! I didn't try that.
Rainer
Software Development
Inxmail GmbH Kaiser-Joseph-Str. 274, 79098 Freiburg, Germany
Monday 08 May 2006 17:17 skrev Rainer Frey:
On Monday 08 May 2006 16:50, Timo Sirainen wrote:
On Mon, 2006-05-08 at 16:34 +0200, Rainer Frey wrote:
Phew - good point. I just checked with a test installation and KMail an Thunderbird. KMAil and Thunderbird 1.0.8 both ask for CAPABILITY, Dovecot sends (among others) LOGINDISABLED, and both send a login command with cleartext password nontheless.
Reporting it as a kmail bug could be a good idea..
I'll do that.
I've filed the following bug report against kio/imap (which is where it belongs rather than Kmail):
http://bugs.kde.org/show_bug.cgi?id=126975
-- Magnus Holmgren holmgren@lysator.liu.se
On Monday 08 May 2006 19:13, Magnus Holmgren wrote: [...]
Reporting it as a kmail bug could be a good idea..
I'll do that.
I've filed the following bug report against kio/imap (which is where it belongs rather than Kmail):
Thanks. Rainer
Software Development
Inxmail GmbH Kaiser-Joseph-Str. 274, 79098 Freiburg, Germany
Timo Sirainen wrote:
On Mon, 2006-05-08 at 16:34 +0200, Rainer Frey wrote:
Phew - good point. I just checked with a test installation and KMail an Thunderbird. KMAil and Thunderbird 1.0.8 both ask for CAPABILITY, Dovecot sends (among others) LOGINDISABLED, and both send a login command with cleartext password nontheless.
Reporting it as a kmail bug could be a good idea..
Thunderbird 1.5 does not try this, it sends logout after it retrieves the LOGINDISABLED capability.
But then again Thunderbird 1.5 can't understand that after STARTTLS the LOGINDISABLED capability isn't there anymore..
That issue will be fixed with Thunderbird 1.5.0.4, see bugreport https://bugzilla.mozilla.org/show_bug.cgi?id=312009.
- Jef Driesen, 2006-05-09 08:53:
Timo Sirainen wrote:
On Mon, 2006-05-08 at 16:34 +0200, Rainer Frey wrote:
Thunderbird 1.5 does not try this, it sends logout after it retrieves the LOGINDISABLED capability.
But then again Thunderbird 1.5 can't understand that after STARTTLS the LOGINDISABLED capability isn't there anymore..
That issue will be fixed with Thunderbird 1.5.0.4, see bugreport https://bugzilla.mozilla.org/show_bug.cgi?id=312009.
Finally - about time, too! :-)
=-------------------------------------------------------------------------=
- Thomas "ZlatkO" Zajic zlatko@gmx.at Linux-2.6.16 & Thunderbird-1.5 -
"It is not easy to cut through a human head with a hacksaw." (M. C.) -
On Mon, 2006-05-08 at 09:51 +0200, Rainer Frey wrote:
My idea was: limit them to use encryption
- use disable_plaintext_auth for IMAP only
- use disable_plaintext_auth for internet, but not our networks
- allow connection from the internet only for certain accounts, and
Internet access for POP3 is not necessary.
Well, Dovecot can't give different settings based on where the connection comes from (although this is planned for v2.0). For now the best you could do is:
protocol imap { disable_plaintext_auth = yes } protocol pop3 { disable_plaintext_auth = no }
At least I think that works.
On Monday 08 May 2006 15:29, Timo Sirainen wrote:
On Mon, 2006-05-08 at 09:51 +0200, Rainer Frey wrote:
Well, Dovecot can't give different settings based on where the connection comes from (although this is planned for v2.0). For now the best you could do is:
protocol imap { disable_plaintext_auth = yes } protocol pop3 { disable_plaintext_auth = no }
At least I think that works.
Thanks, I'll try that. If it doesn't work, I can still revert to Les' suggestion.
Rainer
-- Software Development Inxmail GmbH
El Monday, 8 de Mayo de 2006 15:36, Rainer Frey escribió:
On Monday 08 May 2006 15:29, Timo Sirainen wrote:
On Mon, 2006-05-08 at 09:51 +0200, Rainer Frey wrote:
Well, Dovecot can't give different settings based on where the connection comes from (although this is planned for v2.0). For now the best you could do is:
protocol imap { disable_plaintext_auth = yes } protocol pop3 { disable_plaintext_auth = no }
At least I think that works.
Thanks, I'll try that. If it doesn't work, I can still revert to Les' suggestion.
And, if that doesn't work, you can always play a little bit with your firewall rules. Not the best way to go, but really easy: enable pop3 and imaps in dovecot, then limit the access to the related ports in the firewall.
Aaaaaaaaaaagur.
participants (8)
-
Jef Driesen
-
Joseba Torre
-
Les Mikesell
-
Magnus Holmgren
-
Rainer Frey
-
Rainer Frey
-
Thomas Zajic
-
Timo Sirainen