[Dovecot] No "Ok Dovecot Ready " on fc3 with ssl on ports 993 and 995
hey friends,
I am trying to secure my mail server on FC3.I have enabled TLS support in postfix(version postfix-2.1.5) and want to use ssl settings for dovecot( 0.99.13).
Lines of ssl in /etc/dovecot.conf protocols = imaps pop3s imaps_listen = * pop3s_listen = * ssl_disable = no ssl_cert_file = /usr/share/ssl/certs/dovecot.pem ssl_key_file = /usr/share/ssl/private/dovecot.pem ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat disable_plaintext_auth = yes
If i do telnet localhost 993 or 995 I don't see any "Ok Dovecot Ready" message.If I enable pop3 and imap in dovecot.conf and then I telnet localhost 110 or 143 I can see "Ok Dovecot Ready" message.
Any pointers what else I am missing for ssl in dovecot and I am also attaching the dovecot.conf file with this email.
Thanks & Regards
Ankush Grover
ankush grover wrote:
hey friends,
I am trying to secure my mail server on FC3.I have enabled TLS support in postfix(version postfix-2.1.5) and want to use ssl settings for dovecot(0.99.13). ... If i do telnet localhost 993 or 995 I don't see any "Ok Dovecot Ready" message.If I enable pop3 and imap in dovecot.conf and then I telnet localhost 110 or 143 I can see "Ok Dovecot Ready" message.
That's normal. Dovecot is waiting for the SSL handshake to complete before it will send "Ok Dovecot Ready" (over the encrypted line). Use
openssl s_client -connect yourhost:995
to test.
Some clients can also connect to port 110 or 143 and issue the STARTTLS/STLS command to initiate encryption. If you only have such clients (unlikely), then you don't need pop3s and imaps in the protocols line. At any rate, you can pretty safely allow pop3 and imap; dovecot will not allow any plaintext authentication until the connection is encrypted. Caveat: Some clients, most notably Mozilla Thunderbird, will send IMAP passwords in clear anyway, instead of checking if it's OK. (The IMAP LOGIN command takes the username and the password in the same command. You should issue the CAPABILITY command, which shows that LOGIN is disabled while STARTTLS is available.)
-- Magnus Holmgren
On 12/14/05, Magnus Holmgren holmgren@lysator.liu.se wrote:
ankush grover wrote:
hey friends,
I am trying to secure my mail server on FC3.I have enabled TLS support in postfix(version postfix-2.1.5) and want to use ssl settings for dovecot(0.99.13). ... If i do telnet localhost 993 or 995 I don't see any "Ok Dovecot Ready" message.If I enable pop3 and imap in dovecot.conf and then I telnet localhost 110 or 143 I can see "Ok Dovecot Ready" message.
That's normal. Dovecot is waiting for the SSL handshake to complete before it will send "Ok Dovecot Ready" (over the encrypted line). Use
openssl s_client -connect yourhost:995
to test.
it is working fine as I get the Ok Dovecot Ready Message.
Some clients can also connect to port 110 or 143 and issue the
STARTTLS/STLS command to initiate encryption. If you only have such clients (unlikely), then you don't need pop3s and imaps in the protocols line. At any rate, you can pretty safely allow pop3 and imap; dovecot will not allow any plaintext authentication until the connection is encrypted. Caveat: Some clients, most notably Mozilla Thunderbird, will send IMAP passwords in clear anyway, instead of checking if it's OK. (The IMAP LOGIN command takes the username and the password in the same command. You should issue the CAPABILITY command, which shows that LOGIN is disabled while STARTTLS is available.)
My clients are outlook express,incredimail,squirrelmail,microsoft outlook, evolution and kmail.
I hope none of these clients passes imap passwords in clear text.
Thanks for your guidance.
Thanks & Regards
Ankush
participants (2)
-
ankush grover
-
Magnus Holmgren