[Dovecot] Dovecot not obeying disable_plaintext_auth = yes and how to force/disable encryption
I'm using Dovecot 2.1.15. I need to require encryption and only secure auth on public addresses, but allow plaintext auth over an unencrypted connection on localhost.
I have so far (excerpts from doveconf -a
):
auth_mechanisms = cram-md5 plain disable_plaintext_auth = yes listen = service imap-login { inet_listener imap-local { address = ::1 port = 143 ssl = no } inet_listener imap-pub { address = 2001:db8::1 port = 993 ssl = yes } } service managesieve-login { inet_listener sieve-local { address = ::1 port = 4190 ssl = no } inet_listener sieve-pub { address = 2001:db8::1 port = 4190 ssl = no } }
The ssl option only seems to switch the inet_listener between using a secure socket and using STARTTLS. How do I tell a given inet_listener to do neither? How do I tell a given inet_listener to require STARTTLS before allowing AUTH/SASL?
I would prefer to offer only CRAM-MD5 on the UGA/public ports, and only PLAIN or at least also PLAIN on localhost. I tried adding auth_mechanisms lines to each inet_listener block, but got parse errors. How do I do this?
Dovecot seems to ignore disable_plaintext_auth = yes:
# telnet 2001:db8::1 4190 Trying 2001:db8::1... Connected to host.example.com. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave" "NOTIFY" "mailto" "SASL" "CRAM-MD5 PLAIN" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready."
-- Please reply on list.
I figured this out. I was testing Dovecot from the machine running Dovecot. I didn't know that when the client address is a local address (even if it's a public one), that Dovecot treats the connection as if it was localhost. I also did not know that Dovecot automatically ignores ssl = required and disable_plaintext_auth = yes for localhost connections. As this renders pretty much my entire email moot, we can call this one solved. :)
-- Please reply on list.
participants (1)
-
Darren Pilgrim