[Dovecot] Plaintext Authentication from Localhost
Hi:
It appears that at least at one time, Dovecot supported plaintext authentication from localhost, even if disable_plaintext_auth = yes. To wit, the example configuration file reads:
# Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and # IPv6 ::1 addresses are considered secure, this setting has no effect if # you connect from those addresses. #disable_plaintext_auth = yes
On brief inspection of the code, there doesn't seem to be any such support. This is corroborated by the fact that 0.99.10 (Debian package) behaves by disallowing plaintext authentication via connections on localhost.
This is a particularly useful feature, as local webmail clients can safely authenticate via the local interface without requiring secure authentication.
So, the question is, is Dovecot supposed to support plaintext auth via localhost even if disallowed in dovecot.conf? If so, any suggestions as to what I may be doing wrong?
Yours truly,
Paul C. Bryan email@pbryan.net
On Tue, 2003-10-07 at 11:08, Paul C. Bryan wrote:
Hi:
It appears that at least at one time, Dovecot supported plaintext authentication from localhost, even if disable_plaintext_auth = yes. To wit, the example configuration file reads:
Ah, but you're looking at the CVS version's config file :) I'm copying it to web page from CVS automatically. Maybe not that good idea but easy to keep up to date..
So, the question is, is Dovecot supposed to support plaintext auth via localhost even if disallowed in dovecot.conf? If so, any suggestions as to what I may be doing wrong?
I only added that code a few weeks ago.
On October 7, 2003, I noted that the following was not actually implemented in the released version of Dovecot:
# Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and # IPv6 ::1 addresses are considered secure, this setting has no effect if # you connect from those addresses. #disable_plaintext_auth = yes
I was specifically referencing the nice feature that 127.* are considered secure, and therefore not subject to the disable_plaintext_auth restriction. This is nice for local services like webmail servers would not require SSL to securely authenticate with the IMAP server.
Timo responded that it was only added a few weeks ago, and it was only in the CVS version of Dovecot at that time.
I've noticed that the feature still hadn't made it into any release version, but is still present in the CVS version. I'm just curious if there is any possibility of it getting into a release version prior to 1.0?
Paul
On 26.8.2004, at 08:18, Paul C. Bryan wrote:
I was specifically referencing the nice feature that 127.* are considered secure, and therefore not subject to the disable_plaintext_auth restriction. This is nice for local services like webmail servers would not require SSL to securely authenticate with the IMAP server.
Timo responded that it was only added a few weeks ago, and it was only in the CVS version of Dovecot at that time.
I've noticed that the feature still hadn't made it into any release version, but is still present in the CVS version. I'm just curious if there is any possibility of it getting into a release version prior to 1.0?
I guess I could add it to next 0.99 release. I guess I should release it soon..
I noticed that...
# Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and # IPv6 ::1 addresses are considered secure, this setting has no effect if # you connect from those addresses. #disable_plaintext_auth = yes
...was added to the latest release. Thanks Timo! This takes the localhost-SSL burden off. :)
Paul
participants (2)
-
Paul C. Bryan
-
Timo Sirainen