Hello.

I've never tried Dovecot. Here is my attempt to enable IMAP over SSL on port 993. (BTW, I don't want to use port 143 at all.)

# dovecot -n

log_timestamp: %Y-%m-%d %H:%M:%S protocols: imaps listen: *:143,[::]:143 ssl_listen: *:993,[::]:993 ssl: required ssl_cert_file: /etc/dovecot/keycert.pem ssl_key_file: /etc/dovecot/keycert.pem ssl_cipher_list: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!NULL:@STRENGTH login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:~/Maildir mbox_write_locks: fcntl dotlock auth default: passdb: driver: pam userdb: driver: passwd

1. Here is a snippet from dovecot.conf. Is it correct? Should I change something? (Note that I don't want to enable IMAP on port 143.)

protocols = imaps

protocol imap { listen = *:143,[::]:143 ssl_listen = *:993,[::]:993 }

disable_plaintext_auth = yes

ssl_listen = *:993,[::]:933

ssl = required

ssl_cert_file = /etc/dovecot/keycert.pem ssl_key_file = /etc/dovecot/keycert.pem

ssl_cipher_list = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!NULL:@STRENGTH

2. I don't understand the syntax connected with auth. What auth options are enabled by default?

dovecot.conf:

No sections (e.g. namespace {}) or plugin settings are added by default, they're listed only as examples.

Does it mean that passdb pam will use defaults (e.g. session=yes, setrcred=yes)?

passdb pam { # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] # # session=yes makes Dovecot open and immediately close PAM session. Some # PAM plugins need this to work, such as pam_mkhomedir. # # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins # need that. They aren't ever deleted though, so this isn't enabled by # default. # # max_requests specifies how many PAM lookups to do in one process before # recreating the process. The default is 100, because many PAM plugins # leak memory. # # cache_key can be used to enable authentication caching for PAM # (auth_cache_size also needs to be set). It isn't enabled by default # because PAM modules can do all kinds of checks besides checking password, # such as checking IP address. Dovecot can't know about these checks # without some help. cache_key is simply a list of variables (see # /usr/share/doc/dovecot-common/wiki/Variables.txt) which must match # for the cached data to be used. # Here are some examples: # %u - Username must match. Probably sufficient for most uses. # %u%r - Username and remote IP address must match. # %u%s - Username and service (ie. IMAP, POP3) must match. # # The service name can contain variables, for example %Ls expands to # pop3 or imap. # # Some examples: # args = session=yes %Ls # args = cache_key=%u dovecot #args = dovecot }

3. Here is the output of openssl s_client -tls1 -connect mail.example.com:993. Is it OK?

[snip]

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression

[snip]

Verify return code: 18 (self signed certificate)

• OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.

Also, where can I read about these options?

Any comments are appreciated.