starttls for some services only
Hi,
I would like to disable offering starttls to clients for certain dovecot services.
Background is that I want to do let a load balancer do the TLS stuff right on connect time and let dovecot only do plain imap without offering starttls (because the clients do imaps actually). Getting rid of the starttls feature offering works only if I set ssl = no globally only. Setting it in the service imap-login section seems to be impossible. If I set it globally to no though, I cannot use it in other services where it is needed like in the manage-sieve, where clients unfortunately only support starttls and no tls on connect.
Is there any way to configure dovecot to offer starttls for some services and for some not or is this just not supported currently?
Thanks Björn
Hi Aki,
On 10.02.20 17:03, Aki Tuomi wrote:
Try setting
login_trusted_networks = lb-ip/32
See https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networ...
I do have login-trusted_networks set already. Along with the proxy protocol (haproxy_trusted_networks = lb-ip) I had to set login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol tells dovecot the real clients' IP address and that IP adders is the one actually evaluated for login_trusted_networks. With the plain authentication being done inside the load balancer's TLS connection this is more or less obvious that this is needed in that case.
But those settings don't change the pity: ssl=no is globally required to make the starttls options disappear for imap-login - but with ssl=no globally I don't see a possibility to enable the starttls option for other services like managesieve for example.
Thanks Björn
On 10/02/2020 19:17 Bjoern Jacke <lists2020@j3e.de> wrote:
Hi Aki,
On 10.02.20 17:03, Aki Tuomi wrote:
Try setting
login_trusted_networks = lb-ip/32
See https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networ...
I do have login-trusted_networks set already. Along with the proxy protocol (haproxy_trusted_networks = lb-ip) I had to set login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol tells dovecot the real clients' IP address and that IP adders is the one actually evaluated for login_trusted_networks. With the plain authentication being done inside the load balancer's TLS connection this is more or less obvious that this is needed in that case.
But those settings don't change the pity: ssl=no is globally required to make the starttls options disappear for imap-login - but with ssl=no globally I don't see a possibility to enable the starttls option for other services like managesieve for example.
Thanks Björn
With haproxy you need to
- configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot.
- configure login_trusted_networks and haproxy_trusted_networks
- set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol.
Aki
Hello Aki, On 10.02.20 20:34, Aki Tuomi wrote:
- configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot.
- configure login_trusted_networks and haproxy_trusted_networks
- set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol.
that part is working fine. Whether it's a proxied or non-proxied config can be ignored here.
The essential question broken down to a minimum is, is there any way to
- configure a dovecot service with plain unencrypted authentication (like imap-login for example) that also _does_not_ advertise starttls
and at the same time
- configure another dovecot service (like managesieve for example) that _does_ advertise starttls?
Thanks Björn
participants (2)
-
Aki Tuomi
-
Bjoern Jacke