[Dovecot] May Dovecot help in users education
Hello,
I was wondering if dovecot could help me in my project to smoothly make all my users switch to TLS encrypted POP / IMAP sessions and forget about cleartext. My first idea was to setup dovecot as a POP/IMAP proxy for my mailhosts and ask dovecot to display a warning message or slowdown non TLS sessions. Is there any way to achieve this with dovecot? Does anybody have another idea smoothly force used to switch to TLS?
Regards.
Hello,
I was wondering if dovecot could help me in my project to smoothly make all my users switch to TLS encrypted POP / IMAP sessions and forget about cleartext. My first idea was to setup dovecot as a POP/IMAP proxy for my mailhosts and ask dovecot to display a warning message or slowdown non TLS sessions. Is there any way to achieve this with dovecot? Does anybody have another idea smoothly force used to switch to TLS?
Regards.
P.S: double posted because previous was HTML and I've seen some MUA fails to display it properly... sorry will only send raw text now.
On 17/08/2011 16:00, Alexandre Chapellon wrote:
Is there any way to achieve this with dovecot? Does anybody have another idea smoothly force used to switch to TLS?
Hi,
Maybe by sending them an email with a deadline for the end of clear text auth support ?
If they don't amend their setup they'll be unable to retrieve their emails.
Should you want to go the "nicer" way, you could throttle bandwidth to port 110/143 provided you use those for insecure connections.
Le 17/08/2011 16:05, Laurent CARON a écrit :
On 17/08/2011 16:00, Alexandre Chapellon wrote:
Is there any way to achieve this with dovecot? Does anybody have another idea smoothly force used to switch to TLS?
Hi,
Maybe by sending them an email with a deadline for the end of clear text auth support ?
If they don't amend their setup they'll be unable to retrieve their emails. :)... already tried this in the past and it just don't work... 80% of users never apply changes and prefer getting very angry and call the support. Which is exactly what I want to avoid.
Should you want to go the "nicer" way, you could throttle bandwidth to port 110/143 provided you use those for insecure connections. This sounds better and I though tc could help going that way, but there is nothing informative in going this way. I know what I ask for seems crappy and probably is out of the scope of what dovecot is supposed to do, but this would be temporary and I wanna make sure it is not possible before digging somewhere else.
Thanks
On 08/17/2011 07:24 AM, Alexandre Chapellon wrote:
Le 17/08/2011 16:05, Laurent CARON a écrit :
On 17/08/2011 16:00, Alexandre Chapellon wrote:
Is there any way to achieve this with dovecot? Does anybody have another idea smoothly force used to switch to TLS?
Hi,
Maybe by sending them an email with a deadline for the end of clear text auth support ?
If they don't amend their setup they'll be unable to retrieve their emails. :)... already tried this in the past and it just don't work... 80% of users never apply changes and prefer getting very angry and call the support. Which is exactly what I want to avoid.
Should you want to go the "nicer" way, you could throttle bandwidth to port 110/143 provided you use those for insecure connections. This sounds better and I though tc could help going that way, but there is nothing informative in going this way. I know what I ask for seems crappy and probably is out of the scope of what dovecot is supposed to do, but this would be temporary and I wanna make sure it is not possible before digging somewhere else.
Thanks
I think I would write a script that would glean such accounts from the dovecot log, then send them a message every day instructing them how to turn on TLS in order to quit getting this message. A support line to call for help would be nice for those who have difficulty changing their configuration.
-- -Eric 'shubes'
Le 17/08/2011 16:35, Eric Shubert a écrit :
On 08/17/2011 07:24 AM, Alexandre Chapellon wrote:
Le 17/08/2011 16:05, Laurent CARON a écrit :
On 17/08/2011 16:00, Alexandre Chapellon wrote:
Is there any way to achieve this with dovecot? Does anybody have another idea smoothly force used to switch to TLS?
Hi,
Maybe by sending them an email with a deadline for the end of clear text auth support ?
If they don't amend their setup they'll be unable to retrieve their emails. :)... already tried this in the past and it just don't work... 80% of users never apply changes and prefer getting very angry and call the support. Which is exactly what I want to avoid.
Should you want to go the "nicer" way, you could throttle bandwidth to port 110/143 provided you use those for insecure connections. This sounds better and I though tc could help going that way, but there is nothing informative in going this way. I know what I ask for seems crappy and probably is out of the scope of what dovecot is supposed to do, but this would be temporary and I wanna make sure it is not possible before digging somewhere else.
Thanks
I think I would write a script that would glean such accounts from the dovecot log, then send them a message every day instructing them how to turn on TLS in order to quit getting this message. A support line to call for help would be nice for those who have difficulty changing their configuration.
I didn't think about that.... It's quite basic but i like that.
Thanks
On Wed, 2011-08-17 at 16:05 +0200, Laurent CARON wrote:
On 17/08/2011 16:00, Alexandre Chapellon wrote:
Is there any way to achieve this with dovecot? Does anybody have another idea smoothly force used to switch to TLS?
Hi,
Maybe by sending them an email with a deadline for the end of clear text auth support ?
This is the best method, give them at least 30 days notice (preferably 90 days), the notices should include a link to a kb/support site showing them how, not doing this will clog up your support lines for sure.
Send subsequent warning notices, with slightly stronger language each time, at 21 days, 14 days and 7 days, 3 days and 1 day. We did this when we cut out relaying for IP's and moved entirely to smtp auth, so its much the same thing - getting them to change settings.
A safe guard though, if you tell them, say 1st October cut off, don't actually cut off until a week or two after.
Yes, you'll still find some have not done it, but that's the nature of some people.
If they don't amend their setup they'll be unable to retrieve their emails.
Should you want to go the "nicer" way, you could throttle bandwidth to port 110/143 provided you use those for insecure connections.
That's not the right thing to do, TLS uses those ports too, it's SSL that does not, and it's pointless using other ports, you'll end up creating more problems than what it's worth.
participants (4)
-
Alexandre Chapellon
-
Eric Shubert
-
Laurent CARON
-
Noel Butler