[Dovecot] Force STARTTLS on port 143 for !internalnetwork
Hi!
How can I force users which are connecting from OUTSIDE our newtworks to user STARTTLS on Port 143?
Right now we resort to IMAPS on port 993, but an additional STARTTLS enabled login on the default port would make things easier!
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
Ralf Hildebrandt wrote:
Hi!
How can I force users which are connecting from OUTSIDE our newtworks to user STARTTLS on Port 143?
Right now we resort to IMAPS on port 993, but an additional STARTTLS enabled login on the default port would make things easier!
You can probably add login_trusted_networks = localnet
IIRC this allows for unsecure login from your localnet but forces all other networks to use a secure authentication method (e.g. SSL, STARTTLS, CRAM or DIGEST).
N.
On 9.2.2011, at 15.09, Nick Rosier wrote:
How can I force users which are connecting from OUTSIDE our newtworks to user STARTTLS on Port 143?
Right now we resort to IMAPS on port 993, but an additional STARTTLS enabled login on the default port would make things easier!
You can probably add login_trusted_networks = localnet
IIRC this allows for unsecure login from your localnet but forces all other networks to use a secure authentication method (e.g. SSL, STARTTLS, CRAM or DIGEST).
I think that'll work, yes, but it has the additional feature of allowing clients from localnet to fake their IP address.
In v2.0 you can do:
disable_plaintext_auth = yes local 10.0.0.0/24 { disable_plaintext_auth = no }
- Timo Sirainen <tss@iki.fi>:
I think that'll work, yes, but it has the additional feature of allowing clients from localnet to fake their IP address.
Yes, I noticed this while reading the checkin message for the feature.
In v2.0 you can do:
disable_plaintext_auth = yes local 10.0.0.0/24 { disable_plaintext_auth = no }
Can I also specify more than one subnet there?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On 9.2.2011, at 17.13, Ralf Hildebrandt wrote:
- Timo Sirainen <tss@iki.fi>:
I think that'll work, yes, but it has the additional feature of allowing clients from localnet to fake their IP address.
Yes, I noticed this while reading the checkin message for the feature.
It's also mentioned in the example-config.
In v2.0 you can do:
disable_plaintext_auth = yes local 10.0.0.0/24 { disable_plaintext_auth = no }
Can I also specify more than one subnet there?
You can add multiple local {} blocks. Uh. Actually, you want remote {}, not local {}.
- Timo Sirainen <tss@iki.fi>:
In v2.0 you can do:
disable_plaintext_auth = yes local 10.0.0.0/24 { disable_plaintext_auth = no }
Can I also specify more than one subnet there?
You can add multiple local {} blocks. Uh. Actually, you want remote {}, not local {}.
It's easier to enumerate the INTERNAL networks than the whole internet...
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
participants (3)
-
Nick Rosier
-
Ralf Hildebrandt
-
Timo Sirainen