Unable to get Dovecot 2.4 to allow unencrypted connection
Hello,
In spite of:
ssl = no auth_allow_cleartext = yes
..in a telnet session, I get:
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@zample.com <super-secret>
- BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders.
Regards, David Koski dkoski@sutinen.com
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote:
Hello,
In spite of:
ssl = no
auth_allow_cleartext = yes
..in a telnet session, I get:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot
(Debian) ready.
a1 login ln@[4]zample.com <super-secret>
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but
your client did it anyway. If anyone was listening, the password was
exposed.
a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on
non-secure (SSL/TLS) connections.
I need to see the network traffic to troubleshoot the way Outlook 2019
handles IMAP folders.
Regards,
David Koski
dkoski@[5]sutinen.com
_______________________________________________
dovecot mailing list -- dovecot@[6]dovecot.org
To unsubscribe send an email to dovecot-leave@[7]dovecot.orgReferences
Visible links
Hello,
I am able to get Pre-login Rawlog to log to /var/run/dovecot/login/rawlogs as per:
https://doc.dovecot.org/2.4.3/core/admin/rawlog.html
But this only works with a telnet session locally. Outlook does nothing. I can see the encrypted traffic in ngrep, however. Nothing is logged to the rawlog using Outlook, only with telnet.
Also, it logs no IMAP commands after login. Note that this telnet session is local so it allows plain text. The section "rawlog Binary" says rawlog_dir is preferred??? Not sure how it will allow me to log IMAP commands other than pre-login. But I gave it a shot and got no output to %{home}/rawlog in spite of creating the directory. No error seen in any dovecot log with debugging enabled. No indication of a problem with journalctl. I tried to remove the "-R" from "exectuable = imap-login -R rawlogs" with no discernible change in outcome. I see this option document nowhere and it seems superfluous.
Also note that in the "Pre-login Rawlog" section it says: "SSL/TLS sessions are currently not decrypted to rawlogs". It seems ambiguous as it implies no logging is decrypted.
All I really want to do is see the IMAP commands when accessing dovecot from a host not on the local network to troubleshoot Outlook interactions with dovecot. I have no option for having Outlook on the same network as dovecot with this deployment. ngrep would be great if only dovecot would allow unencrypted IMAP.
Regards, David Koski dkoski@sutinen.com
David Koski dkoski@sutinen.com
On 4/21/26 1:10 AM, David via dovecot wrote:
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote: Hello, In spite of: ssl = no auth_allow_cleartext = yes ..in a telnet session, I get: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@[4]zample.com <super-secret> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections. I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders. Regards, David Koski dkoski@[5]sutinen.com _______________________________________________ dovecot mailing list -- dovecot@[6]dovecot.org To unsubscribe send an email to dovecot-leave@[7]dovecot.orgReferences
Visible links 1. https://doc.dovecot.org/2.4.3/core/admin/rawlog.html 2. https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir 3. http://dovecot.org/ 4. http://zample.com/ 5. http://sutinen.com/ 6. http://dovecot.org/ 7. http://dovecot.org/
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Use post-login rawlogs.
rawlog_dir = %{home}/rawlogs
then make the rawlogs directory with mode 0777, and when you want to stop rawlogging, either remove the directory, or make it unwritable to dovecot mail process.
Aki
On 23/04/2026 02:51 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Hello,
I am able to get Pre-login Rawlog to log to /var/run/dovecot/login/rawlogs as per:
https://doc.dovecot.org/2.4.3/core/admin/rawlog.html
But this only works with a telnet session locally. Outlook does nothing. I can see the encrypted traffic in ngrep, however. Nothing is logged to the rawlog using Outlook, only with telnet.
Also, it logs no IMAP commands after login. Note that this telnet session is local so it allows plain text. The section "rawlog Binary" says rawlog_dir is preferred??? Not sure how it will allow me to log IMAP commands other than pre-login. But I gave it a shot and got no output to %{home}/rawlog in spite of creating the directory. No error seen in any dovecot log with debugging enabled. No indication of a problem with journalctl. I tried to remove the "-R" from "exectuable = imap-login -R rawlogs" with no discernible change in outcome. I see this option document nowhere and it seems superfluous.
Also note that in the "Pre-login Rawlog" section it says: "SSL/TLS sessions are currently not decrypted to rawlogs". It seems ambiguous as it implies no logging is decrypted.
All I really want to do is see the IMAP commands when accessing dovecot from a host not on the local network to troubleshoot Outlook interactions with dovecot. I have no option for having Outlook on the same network as dovecot with this deployment. ngrep would be great if only dovecot would allow unencrypted IMAP.
Regards, David Koski dkoski@sutinen.com
David Koski dkoski@sutinen.com
On 4/21/26 1:10 AM, David via dovecot wrote:
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote: Hello, In spite of: ssl = no auth_allow_cleartext = yes ..in a telnet session, I get: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@[4]zample.com <super-secret> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections. I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders. Regards, David Koski dkoski@[5]sutinen.com _______________________________________________ dovecot mailing list -- dovecot@[6]dovecot.org To unsubscribe send an email to dovecot-leave@[7]dovecot.orgReferences
Visible links 1. https://doc.dovecot.org/2.4.3/core/admin/rawlog.html 2. https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir 3. http://dovecot.org/ 4. http://zample.com/ 5. http://sutinen.com/ 6. http://dovecot.org/ 7. http://dovecot.org/
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Excellent. That did it, thanks! David
On 4/22/26 10:40 PM, Aki Tuomi via dovecot wrote:
Use post-login rawlogs.
rawlog_dir = %{home}/rawlogs
then make the rawlogs directory with mode 0777, and when you want to stop rawlogging, either remove the directory, or make it unwritable to dovecot mail process.
Aki
On 23/04/2026 02:51 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Hello,
I am able to get Pre-login Rawlog to log to /var/run/dovecot/login/rawlogs as per:
https://doc.dovecot.org/2.4.3/core/admin/rawlog.html
But this only works with a telnet session locally. Outlook does nothing. I can see the encrypted traffic in ngrep, however. Nothing is logged to the rawlog using Outlook, only with telnet.
Also, it logs no IMAP commands after login. Note that this telnet session is local so it allows plain text. The section "rawlog Binary" says rawlog_dir is preferred??? Not sure how it will allow me to log IMAP commands other than pre-login. But I gave it a shot and got no output to %{home}/rawlog in spite of creating the directory. No error seen in any dovecot log with debugging enabled. No indication of a problem with journalctl. I tried to remove the "-R" from "exectuable = imap-login -R rawlogs" with no discernible change in outcome. I see this option document nowhere and it seems superfluous.
Also note that in the "Pre-login Rawlog" section it says: "SSL/TLS sessions are currently not decrypted to rawlogs". It seems ambiguous as it implies no logging is decrypted.
All I really want to do is see the IMAP commands when accessing dovecot from a host not on the local network to troubleshoot Outlook interactions with dovecot. I have no option for having Outlook on the same network as dovecot with this deployment. ngrep would be great if only dovecot would allow unencrypted IMAP.
Regards, David Koski dkoski@sutinen.com
David Koski dkoski@sutinen.com
On 4/21/26 1:10 AM, David via dovecot wrote:
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote: Hello, In spite of: ssl = no auth_allow_cleartext = yes ..in a telnet session, I get: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@[4]zample.com <super-secret> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections. I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders. Regards, David Koski dkoski@[5]sutinen.com _______________________________________________ dovecot mailing list -- dovecot@[6]dovecot.org To unsubscribe send an email to dovecot-leave@[7]dovecot.orgReferences
Visible links 1. https://doc.dovecot.org/2.4.3/core/admin/rawlog.html 2. https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir 3. http://dovecot.org/ 4. http://zample.com/ 5. http://sutinen.com/ 6. http://dovecot.org/ 7. http://dovecot.org/
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Well, not so fast. It only captures the localhost telnet session, not the remote Outlook IMAP access. It is completely silent on that. Now what? David
On 4/23/26 8:37 AM, David Koski via dovecot wrote:
Excellent. That did it, thanks! David
On 4/22/26 10:40 PM, Aki Tuomi via dovecot wrote:
Use post-login rawlogs.
rawlog_dir = %{home}/rawlogs
then make the rawlogs directory with mode 0777, and when you want to stop rawlogging, either remove the directory, or make it unwritable to dovecot mail process.
Aki
On 23/04/2026 02:51 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Hello,
I am able to get Pre-login Rawlog to log to /var/run/dovecot/login/rawlogs as per:
https://doc.dovecot.org/2.4.3/core/admin/rawlog.html
But this only works with a telnet session locally. Outlook does nothing. I can see the encrypted traffic in ngrep, however. Nothing is logged to the rawlog using Outlook, only with telnet.
Also, it logs no IMAP commands after login. Note that this telnet session is local so it allows plain text. The section "rawlog Binary" says rawlog_dir is preferred??? Not sure how it will allow me to log IMAP commands other than pre-login. But I gave it a shot and got no output to %{home}/rawlog in spite of creating the directory. No error seen in any dovecot log with debugging enabled. No indication of a problem with journalctl. I tried to remove the "-R" from "exectuable = imap-login -R rawlogs" with no discernible change in outcome. I see this option document nowhere and it seems superfluous.
Also note that in the "Pre-login Rawlog" section it says: "SSL/TLS sessions are currently not decrypted to rawlogs". It seems ambiguous as it implies no logging is decrypted.
All I really want to do is see the IMAP commands when accessing dovecot from a host not on the local network to troubleshoot Outlook interactions with dovecot. I have no option for having Outlook on the same network as dovecot with this deployment. ngrep would be great if only dovecot would allow unencrypted IMAP.
Regards, David Koski dkoski@sutinen.com
David Koski dkoski@sutinen.com
On 4/21/26 1:10 AM, David via dovecot wrote:
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir
Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote:
Hello,
In spite of:
ssl = no auth_allow_cleartext = yes
..in a telnet session, I get:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@[4]zample.com <super-secret> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders.
Regards, David Koski dkoski@[5]sutinen.com
_______________________________________________ dovecot mailing list -- dovecot@[6]dovecot.org To unsubscribe send an email to dovecot-leave@[7]dovecot.org
References
Visible links 1. https://doc.dovecot.org/2.4.3/core/admin/rawlog.html 2. https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir 3. http://dovecot.org/ 4. http://zample.com/ 5. http://sutinen.com/ 6. http://dovecot.org/ 7. http://dovecot.org/
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Outlook is bit picky about logging in. do you have auth_mechanisms = PLAIN LOGIN set? Also these days they come from some redmond proxy, if this is the new outlook from windows 11.
You can also do
log_debug=category=auth
to see if outlook even tries to log in.
Aki
On 23/04/2026 18:58 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Well, not so fast. It only captures the localhost telnet session, not the remote Outlook IMAP access. It is completely silent on that. Now what? David
On 4/23/26 8:37 AM, David Koski via dovecot wrote:
Excellent. That did it, thanks! David
On 4/22/26 10:40 PM, Aki Tuomi via dovecot wrote:
Use post-login rawlogs.
rawlog_dir = %{home}/rawlogs
then make the rawlogs directory with mode 0777, and when you want to stop rawlogging, either remove the directory, or make it unwritable to dovecot mail process.
Aki
On 23/04/2026 02:51 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Hello,
I am able to get Pre-login Rawlog to log to /var/run/dovecot/login/rawlogs as per:
https://doc.dovecot.org/2.4.3/core/admin/rawlog.html
But this only works with a telnet session locally. Outlook does nothing. I can see the encrypted traffic in ngrep, however. Nothing is logged to the rawlog using Outlook, only with telnet.
Also, it logs no IMAP commands after login. Note that this telnet session is local so it allows plain text. The section "rawlog Binary" says rawlog_dir is preferred??? Not sure how it will allow me to log IMAP commands other than pre-login. But I gave it a shot and got no output to %{home}/rawlog in spite of creating the directory. No error seen in any dovecot log with debugging enabled. No indication of a problem with journalctl. I tried to remove the "-R" from "exectuable = imap-login -R rawlogs" with no discernible change in outcome. I see this option document nowhere and it seems superfluous.
Also note that in the "Pre-login Rawlog" section it says: "SSL/TLS sessions are currently not decrypted to rawlogs". It seems ambiguous as it implies no logging is decrypted.
All I really want to do is see the IMAP commands when accessing dovecot from a host not on the local network to troubleshoot Outlook interactions with dovecot. I have no option for having Outlook on the same network as dovecot with this deployment. ngrep would be great if only dovecot would allow unencrypted IMAP.
Regards, David Koski dkoski@sutinen.com
David Koski dkoski@sutinen.com
On 4/21/26 1:10 AM, David via dovecot wrote:
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir
Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote:
Hello,
In spite of:
ssl = no auth_allow_cleartext = yes
..in a telnet session, I get:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@[4]zample.com <super-secret> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders.
Regards, David Koski dkoski@[5]sutinen.com
_______________________________________________ dovecot mailing list -- dovecot@[6]dovecot.org To unsubscribe send an email to dovecot-leave@[7]dovecot.org
References
Visible links 1. https://doc.dovecot.org/2.4.3/core/admin/rawlog.html 2. https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir 3. http://dovecot.org/ 4. http://zample.com/ 5. http://sutinen.com/ 6. http://dovecot.org/ 7. http://dovecot.org/
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Auth is and has been set to:
auth_mechanisms = plain login gssapi cram-md5
I also tried plain and login by themselves individually with no change in outcome. The above is reflected in the attached doveconf generated file.
I added the below config "log_debug=category=auth" but didn't see anything in dovecot logs so I enabled SQL query logging (MariaDB) and can verify that a telnet session is logged during authentication but not Outlook. The obvious question seems to be "how does Outlook access IMAP without authenticating"??? Clearly, there is something I'm missing. Re: windows 11 Outlook: It is verified with ngrep that Outlook is accessing the dovecot host directly. There are no other mail clients that access this mail host and no other client has access as the firewall is filtered on the public IP address of the client. I also see traffic on outbound email with no sign of authentication in SQL.
Now if there was a way to enable unencrypted IMAP it would solve the problem for me.
David
On 4/23/26 9:18 AM, Aki Tuomi via dovecot wrote:
Outlook is bit picky about logging in. do you have auth_mechanisms = PLAIN LOGIN set? Also these days they come from some redmond proxy, if this is the new outlook from windows 11.
You can also do
log_debug=category=auth
to see if outlook even tries to log in.
Aki
On 23/04/2026 18:58 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Well, not so fast. It only captures the localhost telnet session, not the remote Outlook IMAP access. It is completely silent on that. Now what? David
On 4/23/26 8:37 AM, David Koski via dovecot wrote:
Excellent. That did it, thanks! David
On 4/22/26 10:40 PM, Aki Tuomi via dovecot wrote:
Use post-login rawlogs.
rawlog_dir = %{home}/rawlogs
then make the rawlogs directory with mode 0777, and when you want to stop rawlogging, either remove the directory, or make it unwritable to dovecot mail process.
Aki
On 23/04/2026 02:51 EEST David Koski via dovecot <dovecot@dovecot.org> wrote:
Hello,
I am able to get Pre-login Rawlog to log to /var/run/dovecot/login/rawlogs as per:
https://doc.dovecot.org/2.4.3/core/admin/rawlog.html
But this only works with a telnet session locally. Outlook does nothing. I can see the encrypted traffic in ngrep, however. Nothing is logged to the rawlog using Outlook, only with telnet.
Also, it logs no IMAP commands after login. Note that this telnet session is local so it allows plain text. The section "rawlog Binary" says rawlog_dir is preferred??? Not sure how it will allow me to log IMAP commands other than pre-login. But I gave it a shot and got no output to %{home}/rawlog in spite of creating the directory. No error seen in any dovecot log with debugging enabled. No indication of a problem with journalctl. I tried to remove the "-R" from "exectuable = imap-login -R rawlogs" with no discernible change in outcome. I see this option document nowhere and it seems superfluous.
Also note that in the "Pre-login Rawlog" section it says: "SSL/TLS sessions are currently not decrypted to rawlogs". It seems ambiguous as it implies no logging is decrypted.
All I really want to do is see the IMAP commands when accessing dovecot from a host not on the local network to troubleshoot Outlook interactions with dovecot. I have no option for having Outlook on the same network as dovecot with this deployment. ngrep would be great if only dovecot would allow unencrypted IMAP.
Regards, David Koski dkoski@sutinen.com
David Koski dkoski@sutinen.com
On 4/21/26 1:10 AM, David via dovecot wrote:
Hello, I don't know about actually fully disabling SSL requirements but I do know that dovecot supports logging everything in an IMAP session if that would also help. [1]https://doc.dovecot.org/2.4.3/core/admin/rawlog.html [2]https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir
Best, David On 2026-04-21, 01:44 David Koski via dovecot <dovecot@[3]dovecot.org> wrote:
Hello,
In spite of:
ssl = no auth_allow_cleartext = yes
..in a telnet session, I get:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=CRAM-MD5] Dovecot (Debian) ready. a1 login ln@[4]zample.com <super-secret> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
I need to see the network traffic to troubleshoot the way Outlook 2019 handles IMAP folders.
Regards, David Koski dkoski@[5]sutinen.com
_______________________________________________ dovecot mailing list -- dovecot@[6]dovecot.org To unsubscribe send an email to dovecot-leave@[7]dovecot.org
References
Visible links 1. https://doc.dovecot.org/2.4.3/core/admin/rawlog.html 2. https://doc.dovecot.org/2.4.3/core/summaries/settings.html#rawlog_dir 3. http://dovecot.org/ 4. http://zample.com/ 5. http://sutinen.com/ 6. http://dovecot.org/ 7. http://dovecot.org/
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Looks like attachments don't work here so here is the config text:
2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.1-4 (0a86619f)
OS: Linux 6.12.69+deb13-amd64 x86_64 Debian 13.4
Hostname: B914839.online-server.cloud
4 default setting changes since version 2.4.0
dovecot_config_version = 2.4.0 auth_allow_cleartext = yes auth_debug = yes auth_mechanisms = plain login gssapi cram-md5 auth_verbose = yes debug_log_path = /var/log/dovecot/debug.log default_vsz_limit = 512M dovecot_storage_version = 2.4.0 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes import_environment { CORE_ERROR = %{env:CORE_ERROR} CORE_OUTOFMEM = %{env:CORE_OUTOFMEM} DEBUG = 1 LISTEN_FDS = %{env:LISTEN_FDS} LISTEN_PID = %{env:LISTEN_PID} MALLOC_MMAP_THRESHOLD_ = 131072 NOTIFY_SOCKET = %{env:NOTIFY_SOCKET} PATH = %{env:PATH} TZ = %{env:TZ} } info_log_path = /var/log/dovecot/info.log lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_debug = category=auth log_path = /var/log/dovecot/dovecot.log mail_driver = maildir mail_plugins { quota = yes } mailbox_directory_name_legacy = no protocols { imap = yes lmtp = yes sieve = yes } quota_exceeded_message = User %{user} has exceeded the storage volume. / User %{user} has exhausted allowed storage space. sieve_plugins { sieve_imapsieve = yes sieve_extprograms = yes } sql_driver = mysql namespace inbox { inbox = yes separator = . mailbox Drafts { auto = subscribe special_use = "\\Drafts" } mailbox Outbox { special_use = "\\Drafts" } mailbox Junk { auto = subscribe special_use = "\\Junk" } mailbox "Junk Email" { special_use = "\\Junk" } mailbox Trash { auto = subscribe special_use = "\\Trash" } mailbox "Deleted Items" { auto = no special_use = "\\Trash" } mailbox Archives { auto = no special_use = "\\Archive" } mailbox Sent { auto = subscribe special_use = "\\Sent" } mailbox "Sent Items" { auto = no special_use = "\\Sent" } mailbox "Sent Messages" { auto = no special_use = "\\Sent" } } service imap-login { executable = imap-login -R rawlogs inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service imap { } service pop3 { } service submission { } service auth { unix_listener auth-userdb { group = postfix } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service auth-worker { } service dict { unix_listener dict { } } ssl_server { cert_file = /etc/letsencrypt/live/mail.sutinen.com/fullchain.pem key_file = /etc/letsencrypt/live/mail.sutinen.com/privkey.pem } protocol lda { mail_plugins { sieve = yes quota = yes } } protocol imap { mail_plugins { imap_sieve = yes } rawlog_dir = %{home}/rawlog } protocol lmtp { mail_plugins { quota = yes sieve = yes notify = yes push_notification = yes } postmaster_address = postmaster@sutinen.com } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service managesieve { } sieve_script personal { active_path = /var/vmail/sieve/%{user | domain }/%{user | username }/active-script.sieve driver = file path = /var/vmail/sieve/%{user | domain }/%{user | username }/scripts type = personal } sieve_script spam-global { path = /var/vmail/sieve/global/spam-global.sieve type = before } mailbox Spam { sieve_script spam { cause = copy path = /var/vmail/sieve/global/learn-spam.sieve type = before } } imapsieve_from Spam { sieve_script ham { cause = copy path = /var/vmail/sieve/global/learn-ham.sieve type = before } } mysql /var/run/mysqld/mysqld.sock { dbname = vmail password = # hidden, use -P to show it user = vmail } passdb sql { driver = sql query = CALL password_query('%{user}', '%{password}') } userdb sql { driver = sql query = CALL user_query_dovecot('%{user | username}', '%{user | domain}') }
I have reviewed my tests and found something not right in routing causing some confusion. I am now able to see IMAP with nmap in clear text. Thank you all for your input.
David
On 4/23/26 11:40 AM, David Koski via dovecot wrote:
Looks like attachments don't work here so here is the config text:
2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.1-4 (0a86619f)
OS: Linux 6.12.69+deb13-amd64 x86_64 Debian 13.4
Hostname: B914839.online-server.cloud
4 default setting changes since version 2.4.0
dovecot_config_version = 2.4.0 auth_allow_cleartext = yes auth_debug = yes auth_mechanisms = plain login gssapi cram-md5 auth_verbose = yes debug_log_path = /var/log/dovecot/debug.log default_vsz_limit = 512M dovecot_storage_version = 2.4.0 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes import_environment { CORE_ERROR = %{env:CORE_ERROR} CORE_OUTOFMEM = %{env:CORE_OUTOFMEM} DEBUG = 1 LISTEN_FDS = %{env:LISTEN_FDS} LISTEN_PID = %{env:LISTEN_PID} MALLOC_MMAP_THRESHOLD_ = 131072 NOTIFY_SOCKET = %{env:NOTIFY_SOCKET} PATH = %{env:PATH} TZ = %{env:TZ} } info_log_path = /var/log/dovecot/info.log lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_debug = category=auth log_path = /var/log/dovecot/dovecot.log mail_driver = maildir mail_plugins { quota = yes } mailbox_directory_name_legacy = no protocols { imap = yes lmtp = yes sieve = yes } quota_exceeded_message = User %{user} has exceeded the storage volume. / User %{user} has exhausted allowed storage space. sieve_plugins { sieve_imapsieve = yes sieve_extprograms = yes } sql_driver = mysql namespace inbox { inbox = yes separator = . mailbox Drafts { auto = subscribe special_use = "\\Drafts" } mailbox Outbox { special_use = "\\Drafts" } mailbox Junk { auto = subscribe special_use = "\\Junk" } mailbox "Junk Email" { special_use = "\\Junk" } mailbox Trash { auto = subscribe special_use = "\\Trash" } mailbox "Deleted Items" { auto = no special_use = "\\Trash" } mailbox Archives { auto = no special_use = "\\Archive" } mailbox Sent { auto = subscribe special_use = "\\Sent" } mailbox "Sent Items" { auto = no special_use = "\\Sent" } mailbox "Sent Messages" { auto = no special_use = "\\Sent" } } service imap-login { executable = imap-login -R rawlogs inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service imap { } service pop3 { } service submission { } service auth { unix_listener auth-userdb { group = postfix } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service auth-worker { } service dict { unix_listener dict { } } ssl_server { cert_file = /etc/letsencrypt/live/mail.sutinen.com/fullchain.pem key_file = /etc/letsencrypt/live/mail.sutinen.com/privkey.pem } protocol lda { mail_plugins { sieve = yes quota = yes } } protocol imap { mail_plugins { imap_sieve = yes } rawlog_dir = %{home}/rawlog } protocol lmtp { mail_plugins { quota = yes sieve = yes notify = yes push_notification = yes } postmaster_address = postmaster@sutinen.com } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service managesieve { } sieve_script personal { active_path = /var/vmail/sieve/%{user | domain }/%{user | username }/active-script.sieve driver = file path = /var/vmail/sieve/%{user | domain }/%{user | username }/scripts type = personal } sieve_script spam-global { path = /var/vmail/sieve/global/spam-global.sieve type = before } mailbox Spam { sieve_script spam { cause = copy path = /var/vmail/sieve/global/learn-spam.sieve type = before } } imapsieve_from Spam { sieve_script ham { cause = copy path = /var/vmail/sieve/global/learn-ham.sieve type = before } } mysql /var/run/mysqld/mysqld.sock { dbname = vmail password = # hidden, use -P to show it user = vmail } passdb sql { driver = sql query = CALL password_query('%{user}', '%{password}') } userdb sql { driver = sql query = CALL user_query_dovecot('%{user | username}', '%{user | domain}') }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Aki Tuomi
-
David
-
David Koski