993 SSL 143 No encryption
Hello,
I have a dovecot server that listens on both 143 and 993 using SSL. I'm trying to get the 143 port to be unencrypted while 993 to remain encrypted. Is there any way to accomplish this?
Thanks
Hi,
On 26.12.24 16:06, Dino Edwards via dovecot wrote:
I have a dovecot server that listens on both 143 and 993 using SSL. I'm
it would be very helpful if you could post the output of 'doveconf -n'.
trying to get the 143 port to be unencrypted while 993 to remain encrypted. Is there any way to accomplish this?
The Dovecot default should already work like you want (from 'doveconf -d'):
--- snip --- service imap-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = imap-login extra_groups = group = idle_kill = 0 inet_listener imap { address = haproxy = no port = 143 reuse_port = no ssl = no } inet_listener imaps { address = haproxy = no port = 993 reuse_port = no ssl = yes } --- snip ---
But we don't know, if you changed anything - that's why I asked for the output, see above.
Regards, Markus
it would be very helpful if you could post the output of 'doveconf -n'.
Hi Marcus,
Please see below:
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21.1 (49005e73) # OS: Linux 5.4.0-200-generic x86_64 Debian 11.10 # Hostname: a080e4b8a2fe auth_debug = yes debug_log_path = /logs/dovecot-debug.log dict { quotadict = mysql:/etc/dovecot/dovecot-dict-sql-quota.conf } first_valid_uid = 1000 info_log_path = /logs/dovecot-info.log last_valid_uid = 1000 listen = * log_path = /logs/dovecot.log mail_debug = yes mail_gid = 1000 mail_home = /srv/mail/%d/%n mail_location = maildir:~/ mail_plugins = " quota zlib mail_crypt" mail_privileged_group = mail mail_uid = 1000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/dovecot-sql-user.conf driver = sql } plugin { mail_crypt_curve = prime256v1 mail_crypt_global_private_key = # hidden, use -P to show it mail_crypt_global_public_key = # hidden, use -P to show it mail_crypt_save_version = 2 quota = dict:Userquota::proxy::quotadict quota_rule2 = Trash:storage=+10%% quota_warning = storage=99%% quota-warning +99 %u quota_warning2 = storage=95%% quota-warning +95 %u quota_warning3 = storage=80%% quota-warning +80 %u quota_warning4 = -storage=100%% quota-warning -100 %u sieve = /srv/mail/sieve/%u.sieve zlib_save = lz4 } protocols = imap pop3 submission sieve lmtp service auth { inet_listener auth-inet { port = 9587 } } service dict { unix_listener dict { group = vmail mode = 0660 user = vmail } user = root } service imap-login { client_limit = 1000 process_min_avail = 1 service_count = 0 } service lmtp { inet_listener { port = 24 } } service managesieve-login { client_limit = 1000 process_min_avail = 1 service_count = 0 } service pop3-login { client_limit = 1000 process_min_avail = 1 service_count = 0 } service quota-warning { executable = script /scripts/quota-warning.sh unix_listener quota-warning { group = vmail mode = 0660 user = vmail } user = vmail } service submission-login { client_limit = 1000 process_min_avail = 1 service_count = 0 } ssl_cert = </certs/fullchain.pem ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!eNULL:!3DES:!MD5:!PSK:!DSS:!RC4:!SE ED:!IDEA:+HIGH:+MEDIUM ssl_key = # hidden, use -P to show it ssl_options = no_compression no_ticket ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/dovecot-sql-user.conf driver = sql } verbose_proctitle = yes protocol imap { imap_metadata = yes mail_plugins = " quota zlib mail_crypt imap_quota zlib mail_crypt" } protocol lmtp { mail_plugins = quota sieve mail_crypt } protocol sieve { managesieve_logout_format = bytes=%i/%o } protocol pop3 { mail_plugins = " quota zlib mail_crypt mail_crypt" pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv }
Hi Dino
On 26.12.24 18:31, Dino Edwards via dovecot wrote:
it would be very helpful if you could post the output of 'doveconf -n'.
Please see below:
thank you very much.
service imap-login { client_limit = 1000 process_min_avail = 1 service_count = 0 }
As you didn't change other settings of this service, I think this should be fine.
And as you also didn't change these parameters (shown with their defaults):
auth_mechanisms = plain disable_plaintext_auth = yes ssl = yes
they should have their default values too. This means that a client is allowed to use plaintext authentication, but only if SSL/TLS is used, which isn't the case according to the defaults you use for
service imap-login { [...] inet_listener imap { [...] port = 143 ssl = no <-------- disables SSL/TLS
In the end I assume that despite you can connect to port 143 unencrypted, Dovecot doesn't accept the plaintext authentication. Could that be the case or am I misunderstanding your current situation/problem?
So I think one option would be to set:
disable_plaintext_auth = no
in /etc/dovecot/conf.d/10-auth.conf to allow your clients to connect to port 143 without SSL/TLS and authenticate with a plaintext mechanism (only 'plain' is allowed at the moment).
If my assumptions are wrong, then please send an appropriate log file entry when a client tries to connect to port 143.
Regards, Markus
participants (2)
-
Dino Edwards
-
Markus Winkler