Required SSL with exceptions
I have a Dovecot cluster which is on separate machines from my webmail/caldav/cardav cluster, and I currently have the system setup with ssl = required. Unfortunately the caldav/cardav server I am running doesn't support STARTTLS so I was wondering if there is a way to still enforce ssl for every connection with the exception of a certain subnet, or if there is a better way to accomplish this without install a local install of Dovecot on each of my caldav/cardav servers.
Am 08.12.2014 um 19:41 schrieb List:
I have a Dovecot cluster which is on separate machines from my webmail/caldav/cardav cluster, and I currently have the system setup with ssl = required. Unfortunately the caldav/cardav server I am running doesn't support STARTTLS so I was wondering if there is a way to still enforce ssl for every connection with the exception of a certain subnet, or if there is a better way to accomplish this without install a local install of Dovecot on each of my caldav/cardav servers.
perhaps this helps
http://wiki2.dovecot.org/SSL/DovecotConfiguration?highlight=%28trusted%29
There are a couple of different ways to specify when SSL/TLS is required:
disable_plaintext_auth=yes allows plaintext authentication only whenSSL/TLS is used first.
ssl = required requires SSL/TLS also for non-plaintext authentication.
If you have only plaintext mechanisms enabled (auth { mechanisms =plain login } ), you can use either (or both) of the above settings. They behave exactly the same way then.
Note that plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they're assumed to be secure anyway. This applies to all connections where the local and the remote IP addresses are equal. Also IP ranges specified by login_trusted_networks setting are assumed to be secure.<<<<
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 12/8/14, 1:45 PM, Robert Schetterer wrote:
I have a Dovecot cluster which is on separate machines from my webmail/caldav/cardav cluster, and I currently have the system setup with ssl = required. Unfortunately the caldav/cardav server I am running doesn't support STARTTLS so I was wondering if there is a way to still enforce ssl for every connection with the exception of a certain subnet, or if there is a better way to accomplish this without install a local install of Dovecot on each of my caldav/cardav servers.
Am 08.12.2014 um 19:41 schrieb List: perhaps this helps
http://wiki2.dovecot.org/SSL/DovecotConfiguration?highlight=%28trusted%29
There are a couple of different ways to specify when SSL/TLS is required:
disable_plaintext_auth=yes allows plaintext authentication only whenSSL/TLS is used first.
ssl = required requires SSL/TLS also for non-plaintext authentication. If you have only plaintext mechanisms enabled (auth { mechanisms =plain login } ), you can use either (or both) of the above settings. They behave exactly the same way then.
Note that plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they're assumed to be secure anyway. This applies to all connections where the local and the remote IP addresses are equal. Also IP ranges specified by login_trusted_networks setting are assumed to be secure.<<<<
Best Regards MfG Robert Schetterer
Essentially we would like to host IMAP with SSL enforced for any connections coming from anywhere except the subnet where our other mail servers reside. The idea is to not install a local instance of dovecot on the webmail/carddav/caldav servers to reduce the number of instances that need to be managed. Is it possible to have two imap listeners, where ssl is enforced on one port, and not on another?
Hi,
At Mon, 08 Dec 2014 16:01:43 -0600, List wrote:
Essentially we would like to host IMAP with SSL enforced for any connections coming from anywhere except the subnet where our other mail servers reside. The idea is to not install a local instance of dovecot on the webmail/carddav/caldav servers to reduce the number of instances that need to be managed. Is it possible to have two imap listeners, where ssl is enforced on one port, and not on another?
Use login_trusted_networks parameter.
-- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA
On 12/9/14, 12:50 AM, SATOH Fumiyasu wrote:
Hi,
At Mon, 08 Dec 2014 16:01:43 -0600, List wrote:
Essentially we would like to host IMAP with SSL enforced for any connections coming from anywhere except the subnet where our other mail servers reside. The idea is to not install a local instance of dovecot on the webmail/carddav/caldav servers to reduce the number of instances that need to be managed. Is it possible to have two imap listeners, where ssl is enforced on one port, and not on another? Use login_trusted_networks parameter.
Excellent, that's exactly what I was looking for. Thank you!
participants (3)
-
List
-
Robert Schetterer
-
SATOH Fumiyasu