[Dovecot] Enforcing STARTTLS for all mechs while disabling imaps
Hi all,
Is there a way to enforce STARTTLS for all connections, regardless their authentication mechanism? disable_plaintext_auth only takes care of the auth conversation, but I would like to have all communication encrypted.
As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have the other way around; disabling imaps and using imap for all communication (with enforced STARTTLS). Am I missing something?
Durk
On 1/15/2009, Durk Strooisma (durk@kern.nl) wrote:
As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have the other way around; disabling imaps and using imap for all communication (with enforced STARTTLS). Am I missing something?
Yes... an explanation for why you want/need to do this...
If you just don't want to force users to change their MUA config, you could just disable imap, and redirect port 143 to 993 in your firewall/router... but the client will have to be configured to at least attempt STARTTLS...
--
Best regards,
Charles
On 1/15/2009, Durk Strooisma (durk@kern.nl) wrote:
As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have the other way around; disabling imaps and using imap for all communication (with enforced STARTTLS). Am I missing something?
Yes... an explanation for why you want/need to do this...
Simple, but debatable I guess. For some it might sound cosmetic. That's why I didn't bring it up in the first place.
Okay, so here's the explanation. In our infrastructure we like to use native encryption for (internet) protocols. Partly because it seems the "right way" and partly because the other method (tunneling) is deprecated for some protocols (e.g. LDAP). We don't need to support a huge range of client applications, so this is compatability-wise no issue. To keep our infrastructure a bit uniform, I've tried this with Dovecot/IMAP as well. I've tried to enforce STARTTLS for any possible connection, to avoid using tunneling, but I couldn't find an option to do so.
Durk
Durk Strooisma wrote:
On 1/15/2009, Durk Strooisma (durk@kern.nl) wrote:
As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have the other way around; disabling imaps and using imap for all communication (with enforced STARTTLS). Am I missing something? I've tried to enforce STARTTLS for any possible connection, to avoid using tunneling, but I couldn't find an option to do so.
First you need to disable any ssl_listen in the protocol section:
protocol imap { listen = *:143 # ssl_listen = *:993 } protocol pop3 { listen = *:110 # ssl_listen = *:995 }
Then set: disable_plaintext_auth = yes
That will give you the ability for users to only log in via TLS.
First you need to disable any ssl_listen in the protocol section:
protocol imap { listen = *:143 # ssl_listen = *:993 } protocol pop3 { listen = *:110 # ssl_listen = *:995 }
Then set: disable_plaintext_auth = yes
That will give you the ability for users to only log in via TLS.
This will work for plain text authentication. However, we are (partly) using GSSAPI, which is not a plain text authentication mechanism. TLS (through STARTTLS) won't be enforced in these connections.
Durk
Durk Strooisma wrote:
This will work for plain text authentication. However, we are (partly) using GSSAPI, which is not a plain text authentication mechanism. TLS (through STARTTLS) won't be enforced in these connections.
Ah yeah, will not work with GSSAPI, sorry if I missed where you said you were using that. I can't help you the, I do not know a way to enforce TLS.
On Thu, 2009-01-15 at 10:26 +0100, Durk Strooisma wrote:
Hi all,
Is there a way to enforce STARTTLS for all connections, regardless their authentication mechanism? disable_plaintext_auth only takes care of the auth conversation, but I would like to have all communication encrypted.
As far as I can see, this would only be possible when using imaps and disabling imap. However, I would like to have the other way around; disabling imaps and using imap for all communication (with enforced STARTTLS). Am I missing something?
Not possible currently.
Hmm. I don't want to add a new setting for this, but some existing one could be updated/replaced.. Perhaps ssl_disable=required? Although that sounds weird. Maybe deprecate that setting and have ssl=yes/no/required.
Anyway you could modify the sources pretty easily to do this. In src/imap-login/client-authenticate.c function cmd_authenticate() add before mech_name line something like:
if (!client->common.secured && disable_plaintext_auth) {
if (verbose_auth) {
client_syslog(&client->common, "Login failed: "
"STARTTLS not enabled");
}
client->common.auth_attempts++;
client_send_line(client, "* NO [ALERT] STARTTLS requires");
client_send_tagline(client, "NO STARTTLS required");
return 1;
}Hi Timo,
Not possible currently.
Okay.
Hmm. I don't want to add a new setting for this, but some existing one could be updated/replaced.. Perhaps ssl_disable=required? Although that sounds weird. Maybe deprecate that setting and have ssl=yes/no/required.
The setting "ssl" sounds fine. In case you're going to implement this feature, for which release would that be?
Anyway you could modify the sources pretty easily to do this. In src/imap-login/client-authenticate.c function cmd_authenticate() add before mech_name line something like:
if (!client->common.secured && disable_plaintext_auth) { if (verbose_auth) { client_syslog(&client->common, "Login failed: " "STARTTLS not enabled"); } client->common.auth_attempts++; client_send_line(client, "* NO [ALERT] STARTTLS requires"); client_send_tagline(client, "NO STARTTLS required"); return 1; }
Thanks for the info!
Durk
On Thu, 2009-01-15 at 17:10 +0100, Durk Strooisma wrote:
Hi Timo,
Not possible currently.
Okay.
Hmm. I don't want to add a new setting for this, but some existing one could be updated/replaced.. Perhaps ssl_disable=required? Although that sounds weird. Maybe deprecate that setting and have ssl=yes/no/required.
The setting "ssl" sounds fine. In case you're going to implement this feature, for which release would that be?
It's a configuration change, so won't be added to v1.1 tree anymore. But I just added it to v1.2, so it'll be in v1.2.beta1 which will hopefully be released in a few days.
On Thu, 2009-01-15 at 17:10 +0100, Durk Strooisma wrote:
Hi Timo,
Not possible currently.
Okay.
Hmm. I don't want to add a new setting for this, but some existing one could be updated/replaced.. Perhaps ssl_disable=required? Although that sounds weird. Maybe deprecate that setting and have ssl=yes/no/required.
The setting "ssl" sounds fine. In case you're going to implement this feature, for which release would that be?
It's a configuration change, so won't be added to v1.1 tree anymore. But I just added it to v1.2, so it'll be in v1.2.beta1 which will hopefully be released in a few days.
Okay, perfect. Thanks a lot!
Durk
participants (4)
-
Charles Marcus
-
Durk Strooisma
-
Eric Toczek
-
Timo Sirainen