[Dovecot] Allow both SSL/993 and STARTTLS/143 connections (secure only)
Hi all,
Ok, up until now, I've only always allowed IMAPS connections to dovecot on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I walso want to make sure both ports are locked down to ONLY allow secure connections.
So... is disable_plaintext_auth = yes in the main config enough to accomplish this?
http://wiki2.dovecot.org/SSL/DovecotConfiguration says:
There are a couple of different ways to specify when SSL/TLS is required:
disable_plaintext_auth=yes allows plaintext authentication
<http://wiki2.dovecot.org/Authentication/Mechanisms> only when
SSL/TLS is used first.*
ssl = required requires SSL/TLS also for non-plaintext
authentication <http://wiki2.dovecot.org/Authentication/Mechanisms>.*
If you have only plaintext mechanisms enabled
(auth { mechanisms = plain login } ), you can use either (or both)
of the above settings. They behave exactly the same way thenand the comments in 10-auth.conf say:
# Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. #disable_plaintext_auth = yes
These seem to be saying that all I need to do is set either or both (ssl-required and/or disable_plaintext_auth=yes).
I'm looking for the simplest, and don't like redundant/unnecessary settings, so... which is the best/preferred way?
And what is the difference between ssl=required and disable_plaintext_auth=yes?
Thanks,
--
Best regards,
*/Charles/***
On 2014-01-03 8:32 AM, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
Ok, up until now, I've only always allowed IMAPS connections to dovecot on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I walso want to make sure both ports are locked down to ONLY allow secure connections.
And I just had an idea, but don't know if it is possible.
Can I offer one namespace on one port (ie, SSL/993), and a different namespace on the other port (STARTTLS/143)?
This would be a simple and effective way to migrate users from one namespace to another... have them change both the port/security setting and the namespace prefix at the same time, then restart the client... boom.
And this suggests it is possible:
http://wiki2.dovecot.org/Namespaces
The section name in namespaces (e.g. namespace sectionname { .. } is used only internally within configuration. It's not required at all, but it allows you to update an existing namespace (like how 15-mailboxes.conf does) or have userdb override namespace settings for specific users (namespace/sectionname/prefix=foo/).
But the question is, how exactly to implement it, and I can't see from the docs exactly how to go about it.
--
Best regards,
*/Charles/*
On Fri, 03 Jan 2014 10:08:15 -0500 Charles Marcus wrote:
On 2014-01-03 8:32 AM, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
Ok, up until now, I've only always allowed IMAPS connections to dovecot on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I walso want to make sure both ports are locked down to ONLY allow secure connections.
And I just had an idea, but don't know if it is possible.
Can I offer one namespace on one port (ie, SSL/993), and a different namespace on the other port (STARTTLS/143)?
You dont' need 2 namespaces.
In 10-auth.conf set "disable_plaintext_auth = yes"
My 10-master.conf contains
| service imap-login { | inet_listener imap { | port = 143 | } | inet_listener imaps { | port = 993 | ssl = yes | }
And this works.
--Frank Elsner
On 2014-01-03 10:20 AM, Frank Elsner <frank@moltke28.B.Shuttle.DE> wrote:
On Fri, 03 Jan 2014 10:08:15 -0500 Charles Marcus wrote:
And I just had an idea, but don't know if it is possible.
Can I offer one namespace on one port (ie, SSL/993), and a different namespace on the other port (STARTTLS/143)?
You dont' need 2 namespaces.
In 10-auth.conf set "disable_plaintext_auth = yes"
My 10-master.conf contains
| service imap-login { | inet_listener imap { | port = 143 | } | inet_listener imaps { | port = 993 | ssl = yes | }
And this works.
And this just totally solved one of the last problems I was facing doing the transition...
Adding the above combined with the courier-imap compatibility namespace results in ALL clients looking normal, regardless of which port or namespace prefix they are configured to use.
Thanks Frank!!
--
Best regards,
*/Charles/*
participants (2)
-
Charles Marcus
-
Frank Elsner