[Dovecot] Auth socket can't listen using ssl
Hi,
I'm using Dovecot 2.2.9 (debian package on testing). It seems that it's not possible to open an auth socket using ssl. I'm using this configuration :
service auth { [...] inet_listener authxmpp-client { address = [ips] port = 5220 } inet_listener genericauth-client { ssl = yes address = [ips] port = 5221 } [...] }
Both ports are running fine. But the 5221, which should listen in ssl (because of the "ssl = yes" as written in the documentation here : http://wiki2.dovecot.org/Services ) is using plaintext. If I telnet directly to it, the content is delivered on an unsecured socket.
Is there a way to make ssl works on this kind of socket ?
Thanks a lot
On Mon, 27 Jan 2014 14:46:55 +0100 Anthony Bourguignon <contact@toniob.net> wrote:
Hi,
I'm using Dovecot 2.2.9 (debian package on testing). It seems that it's not possible to open an auth socket using ssl. I'm using this configuration :
service auth { [...] inet_listener authxmpp-client { address = [ips] port = 5220 } inet_listener genericauth-client { ssl = yes address = [ips] port = 5221 } [...] }
Both ports are running fine. But the 5221, which should listen in ssl (because of the "ssl = yes" as written in the documentation here : http://wiki2.dovecot.org/Services ) is using plaintext. If I telnet directly to it, the content is delivered on an unsecured socket.
Is there a way to make ssl works on this kind of socket ?
Thanks a lot
I read in some docs somewhere that Dovecot automatically trusts anything on localhost. If you're telnetting into it from the same physical computer that hosts the port, try telnetting into it from a different physical computer with a different IP address and see if you can still telnet in.
Of course, if you were already doing that, then please ignore my email :-)
Thanks,
SteveT
Steve Litt * http://www.troubleshooters.com/ Troubleshooting Training * Human Performance
Le Monday 27 January 2014 à 12:08 -0500, Steve Litt a écrit :
I read in some docs somewhere that Dovecot automatically trusts anything on localhost. If you're telnetting into it from the same physical computer that hosts the port, try telnetting into it from a different physical computer with a different IP address and see if you can still telnet in.
I've tried from localhost and another computer. In both tries, the connection is made without ssl.
But thanks for the tip
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 28 Jan 2014, Anthony Bourguignon wrote:
Le Monday 27 January 2014 à 12:08 -0500, Steve Litt a écrit :
I read in some docs somewhere that Dovecot automatically trusts anything on localhost. If you're telnetting into it from the same physical computer that hosts the port, try telnetting into it from a different physical computer with a different IP address and see if you can still telnet in.
I've tried from localhost and another computer. In both tries, the connection is made without ssl.
Hmm, maybe "internal" sockets do not utilize SSL at all? Just IMAP/POP/ManageSieve?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUueGOHD1/YhP6VMHAQJNNgf/YhJvRaC5OgqCE2TJzEcy6WvFDB7bKIdU +8tVn66o1p5cAQYXZWb917otLnuejrO8RVLe5fAOb06Olo1eIbSbhJZv4JISS3OW adYZ468TdYT1Qdjmwbzo0lchZPlA2JHoRMi4EfxFcJN6rUte5XdkSds92ZhOIUvK /yAaBhsXYmF84n/24OqwT65b+IY2uJTggZR80tW+RhzAlUIR0D44oOCw8d7k2w3Y u545oolzHQiUvT1NLNedzjpneTfuV9ZukK9c/W/9mgUkXmNBykhzRsLbsJcOoOwP re59kSzgVssNlsTEFimUajU/RvoUs591AY+LVwk3mPBDQ6iJTDRwng== =tKyc -----END PGP SIGNATURE-----
Le Tuesday 28 January 2014 à 11:28 +0100, Steffen Kaiser a écrit :
On Tue, 28 Jan 2014, Anthony Bourguignon wrote:
Le Monday 27 January 2014 à 12:08 -0500, Steve Litt a écrit :
I read in some docs somewhere that Dovecot automatically trusts anything on localhost. If you're telnetting into it from the same physical computer that hosts the port, try telnetting into it from a different physical computer with a different IP address and see if you can still telnet in.
I've tried from localhost and another computer. In both tries, the connection is made without ssl.
Hmm, maybe "internal" sockets do not utilize SSL at all? Just IMAP/POP/ManageSieve?
Maybe. I don't know. But that's cleary an issue. I'm trying to use dovecot authentication as a backend for prosody (a xmpp server). Dovecot and prosody are not on the same host. Sending my password in cleartext on the network is not a good option according to me ;) .
Thanks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 29 Jan 2014, Anthony Bourguignon wrote:
I've tried from localhost and another computer. In both tries, the connection is made without ssl.
Hmm, maybe "internal" sockets do not utilize SSL at all? Just IMAP/POP/ManageSieve?
Maybe. I don't know. But that's cleary an issue. I'm trying to use dovecot authentication as a backend for prosody (a xmpp server). Dovecot and prosody are not on the same host. Sending my password in cleartext on the network is not a good option according to me ;) .
The work around would be to use stunnel or something like that.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUui4NXD1/YhP6VMHAQKo2Af/dK9DMgie7HX1R5JLxA6XpD+BA8f4MtSB Qmq43Ed+NfeJCU5E514FwVXPcWa4SCtxk79KsmkyL/QSiyXWNuyBCvum7Y6YaDSK VCCEQ2BayIKsOfyrj2E2jNphJ34FbV3QTdUNd+1+hd7pLGb93tlg5xtqAX2tjoks XOWl+CcWNBkv17DOVGQWAvxyhWbg0cGvTYGzPyLbCdY7qHuZdL8118ZZCNbJe00f R2xlOiHuxSelOG8HrlfwE3iF3C7JtTmmi/eK6hRZsppQwCrpX6nSOVENYZ1S5EJg og44E3KM7RkJo1sPGYy5/Ed0uvSl/M+6BHIRv28ZNtIkYW+HCmUGUQ== =2OmW -----END PGP SIGNATURE-----
On 28.1.2014, at 5.28, Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> wrote:
Le Monday 27 January 2014 à 12:08 -0500, Steve Litt a écrit :
I read in some docs somewhere that Dovecot automatically trusts anything on localhost. If you're telnetting into it from the same physical computer that hosts the port, try telnetting into it from a different physical computer with a different IP address and see if you can still telnet in.
I've tried from localhost and another computer. In both tries, the connection is made without ssl.
Hmm, maybe "internal" sockets do not utilize SSL at all? Just IMAP/POP/ManageSieve?
Pretty much, yeah. I guess some day the code should be changed so everything supports it automatically. Currently if SSL auth socket is wanted it would require adding something like 30 lines of code I think (if anyone wants to try, doveadm's code should be helpful in seeing how it's done).
participants (4)
-
Anthony Bourguignon
-
Steffen Kaiser
-
Steve Litt
-
Timo Sirainen