[Dovecot] Disable TLS on port 143?

John Peacock jpeacock at rowman.com
Tue Jan 9 20:07:21 UTC 2007


Timo Sirainen wrote:
> It'd have to remove "STARTTLS" from CAPABILITY response. No idea if it's 
> actually capable of doing that.
> 

No, ipchains isn't smart enough (I wasn't paying attention, DUH).  It 
could only be done with a transparent proxy.

But just stripping the STARTTLS from the CAPABILITY like this:

> --- ./src/imap-login/client.c.orig      2007-01-09 15:03:49.298055528 -0500
> +++ ./src/imap-login/client.c   2007-01-09 15:04:06.883739152 -0500
> @@ -100,7 +100,7 @@
>         auths = client_authenticate_get_capabilities(client->common.secured);
>         return t_strconcat(capability_string,
>                            (ssl_initialized && !client->common.tls) ?
> -                          " STARTTLS" : "",
> +                          "" : "",
>                            disable_plaintext_auth && !client->common.secured ?
>                            " LOGINDISABLED" : "", auths, NULL);
>  }

(watch wrapping) should be sufficient.

Of course, if the real issue is that the users are frightened by the 
unsigned certificate message, he could pony up the $100 for a cert 
signed by a trusted authority and the clients won't even bleat...

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748


More information about the dovecot mailing list