IMAP with Dovecot: Kerberos/GSSAPI in LAN only
Hi,
I'm setting up a new IMAPS server using Dovecot 2.4 at the moment. I'd like my network internal users to authenticate using GSSAPI. The server is also exposed to the Internet for smart phone email access. I want to offer PLAIN login only for external users as they can't be legitimate internal Kerberos users. (Just as an additional layer of security.)
Would this approach work?
service imap-login { inet_listener imaps_external { port = 1993 ssl = yes auth_mechanisms = plain login } inet_listener imaps_internal { port = 7993 ssl = yes auth_mechanisms = plain login gssapi } }
Then I'd allow only port 1993 externally and keep port 7993 for the LAN.
Thank you for your advice! Reg
On 19/01/2026 05:51 EET r.barclay--- via dovecot <dovecot@dovecot.org> wrote:
Hi,
I'm setting up a new IMAPS server using Dovecot 2.4 at the moment. I'd like my network internal users to authenticate using GSSAPI. The server is also exposed to the Internet for smart phone email access. I want to offer PLAIN login only for external users as they can't be legitimate internal Kerberos users. (Just as an additional layer of security.)
Would this approach work?
service imap-login { inet_listener imaps_external { port = 1993 ssl = yes auth_mechanisms = plain login } inet_listener imaps_internal { port = 7993 ssl = yes auth_mechanisms = plain login gssapi } }
Then I'd allow only port 1993 externally and keep port 7993 for the LAN.
Thank you for your advice! Reg
Hi,
that unfortunately will not work. You probably get best results by having a backend and two proxies, one for external and one for internal users.
Aki
Hello,
and what is the problem of allowing gssapi externally? Since the users do not have the kerberos ticket, they will use plain auth then, if you allow both. Do not they?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
pondelok 19. januára 2026, 4:53, r.barclay--- via dovecot <dovecot@dovecot.org> napísal/a:
Hi,
I'm setting up a new IMAPS server using Dovecot 2.4 at the moment. I'd like my network internal users to authenticate using GSSAPI. The server is also exposed to the Internet for smart phone email access. I want to offer PLAIN login only for external users as they can't be legitimate internal Kerberos users. (Just as an additional layer of security.)
Would this approach work?
service imap-login { inet_listener imaps_external { port = 1993 ssl = yes auth_mechanisms = plain login } inet_listener imaps_internal { port = 7993 ssl = yes auth_mechanisms = plain login gssapi } }
Then I'd allow only port 1993 externally and keep port 7993 for the LAN.
Thank you for your advice! Reg
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Aki Tuomi
-
Marek Greško
-
r.barclay@habmalnefrage.de