[Dovecot] tls and auth plain login
Hello List,
I want to allow plain text passwords only on ssl/tls.
Is it possible to have: auth default { mechanisms = cram-md5 ntlm ...... }
and then over-ride this when connection is ssl/tls to allow plain and
login?
I have tried adding "mechanisms = plain login cram-md5 ntlm" to
"protocol imaps{}" as an example but I get an error that the protocol
does not exist.
I read somewhere today that dovecot enables plain automatically over
secure connections (ssl/tls) but I'm not seeing it.
Also, "auth default" suggests that "auth something_else" is possible.
I'm probably just doing a poor job of research but I'm not finding the
answers I'm seeking.
Using postfix and lda.
# openssl s_client -connect localhost:993 # a01 capability
- CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND
UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST- EXTENDED I18NLEVEL=1 AUTH=CRAM-MD5 AUTH=NTLM a01 OK Capability completed.
Note about below, fd limit is increased management script.
# dovecot -n
# 1.1.3: /opt/local/etc/dovecot/dovecot.conf
Warning: fd limit 256 is lower than what Dovecot can use under full
load (more than 768). Either grow the limit or change
login_max_processes_count and max_mail_processes settings
log_path: /opt/local/var/ispbox/log/mail/dovecot.log
protocols: imap imaps pop3 pop3s
ssl_cert_file: /opt/local/etc/ssl/certs/dovecot.pem
ssl_key_file: /opt/local/etc/ssl/private/dovecot.pem
login_dir: /opt/local/var/run/dovecot/login
login_executable(default): /opt/local/libexec/dovecot/imap-login
login_executable(imap): /opt/local/libexec/dovecot/imap-login
login_executable(pop3): /opt/local/libexec/dovecot/pop3-login
mail_location: dbox:/opt/local/var/ispbox/mail/%d/%n/dbox
mail_executable(default): /opt/local/libexec/dovecot/imap
mail_executable(imap): /opt/local/libexec/dovecot/imap
mail_executable(pop3): /opt/local/libexec/dovecot/pop3
mail_plugin_dir(default): /opt/local/lib/dovecot/imap
mail_plugin_dir(imap): /opt/local/lib/dovecot/imap
mail_plugin_dir(pop3): /opt/local/lib/dovecot/pop3
auth default:
mechanisms: cram-md5 ntlm
passdb:
driver: sql
args: /opt/local/etc/dovecot/dovecot_mysql.conf
userdb:
driver: prefetch
userdb:
driver: sql
args: /opt/local/etc/dovecot/dovecot_mysql.conf
socket:
type: listen
client:
path: /opt/local/var/spool/postfix/private/auth
mode: 432
user: _postfix
group: _postfix
master:
path: /opt/local/var/run/dovecot/auth-master
mode: 384
user: _vmail
Thanks for any tips, //Bradley
On Tue, 2009-03-03 at 10:48 -0800, Bradley Giesbrecht wrote:
I want to allow plain text passwords only on ssl/tls.
The default settings do that.
Is it possible to have: auth default { mechanisms = cram-md5 ntlm
mechanisms = plain cram-md5 ntlm
And then verify that you have disable_plaintext_auth=yes, which is also the default.
When testing make sure you don't test it from local server, because Dovecot treats local IPs as trusted.
On Mar 3, 2009, at 2:37 PM, Timo Sirainen wrote:
On Tue, 2009-03-03 at 10:48 -0800, Bradley Giesbrecht wrote:
I want to allow plain text passwords only on ssl/tls.
The default settings do that.
Is it possible to have: auth default { mechanisms = cram-md5 ntlm
mechanisms = plain cram-md5 ntlm
And then verify that you have disable_plaintext_auth=yes, which is
also the default.
Thank you Timo.
I had removed disable_plaintext_auth from my conf because with it in
place it failed to show up in "dovecot -n".
I figured I had it in the wrong place.
Should disable_plaintext_auth show in "dovecot -n"?
When testing make sure you don't test it from local server, because Dovecot treats local IPs as trusted.
I'll make sure I test from remotes going forward. Thanks.
A couple of us are working on a macports project for dovecot,
postfix, mysql, bind9 dlz etc... virtual everything.....
If we are successful in producing something of value I'll send you a
link to the port. Maybe you would want to add it to some part of your
wiki.
Also, the way we are building should easily move to bsd's and linux
distros. I know there are a bunch of these types of things out there
but I didn't find one that was what I was looking for.
//Brad
On Mar 3, 2009, at 7:55 PM, Bradley Giesbrecht wrote:
ad removed disable_plaintext_auth from my conf because with it in
place it failed to show up in "dovecot -n". I figured I had it in the wrong place.Should disable_plaintext_auth show in "dovecot -n"?
dovecot -n shows settings that you have set to non-defaults.
disable_plaintext_auth=yes doesn't show up there, because it is the
default. dovecot -a shows all settings.
A couple of us are working on a macports project for dovecot,
postfix, mysql, bind9 dlz etc... virtual everything.....If we are successful in producing something of value I'll send you a
link to the port. Maybe you would want to add it to some part of
your wiki.
I guess it would belong to http://wiki.dovecot.org/HowTo. And feel
free to add it yourself.
A couple of us are working on a macports project for dovecot, postfix, mysql, bind9 dlz etc... virtual everything..... pkgsrc has all of these.
Also, the way we are building should easily move to bsd's and linux
distros. pkgsrc already does that (and even Solaris, Irix and HP-UX).
I know there are a bunch of these types of things out there but I didn't find one that was what I was looking for. Did you try pkgsrc?
On Mar 4, 2009, at 9:36 AM, Edgar Fuß wrote:
A couple of us are working on a macports project for dovecot,
postfix, mysql, bind9 dlz etc... virtual everything..... pkgsrc has all of these.Also, the way we are building should easily move to bsd's and linux distros. pkgsrc already does that (and even Solaris, Irix and HP-UX).
I know there are a bunch of these types of things out there but I didn't find one that was what I was looking for. Did you try pkgsrc?
What is pkgsrc?
What is pkgsrc? A package system (see www.pkgsrc.org)
Originally the package system of NetBSD, but then ported to 13 other platforms, Darwin being the second one. Extremly flexible, quarterly stable branches, 7300 packages.
It's really nice to have the same package system on my Macs and NetBSD machines.
On Mar 4, 2009, at 11:22 AM, Edgar Fuß wrote:
What is pkgsrc? A package system (see www.pkgsrc.org)
Originally the package system of NetBSD, but then ported to 13 other
platforms, Darwin being the second one. Extremly flexible, quarterly
stable branches, 7300 packages.It's really nice to have the same package system on my Macs and
NetBSD machines.
I bet it is. I may have to reconsider.
//Brad
participants (3)
-
Bradley Giesbrecht
-
Edgar Fuß
-
Timo Sirainen