[Dovecot] Enforcing STARTTLS for all mechs while disabling imaps

Timo Sirainen tss at iki.fi
Thu Jan 15 17:55:39 EET 2009


On Thu, 2009-01-15 at 10:26 +0100, Durk Strooisma wrote:
> Hi all,
> 
> Is there a way to enforce STARTTLS for all connections, regardless their
> authentication mechanism? disable_plaintext_auth only takes care of the auth
> conversation, but I would like to have all communication encrypted.
> 
> As far as I can see, this would only be possible when using imaps and
> disabling imap. However, I would like to have the other way around;
> disabling imaps and using imap for all communication (with enforced
> STARTTLS).
> Am I missing something?

Not possible currently. 

Hmm. I don't want to add a new setting for this, but some existing one
could be updated/replaced.. Perhaps ssl_disable=required? Although that
sounds weird. Maybe deprecate that setting and have ssl=yes/no/required.

Anyway you could modify the sources pretty easily to do this. In
src/imap-login/client-authenticate.c function cmd_authenticate() add
before mech_name line something like:

	if (!client->common.secured && disable_plaintext_auth) {
		if (verbose_auth) {
			client_syslog(&client->common, "Login failed: "
				      "STARTTLS not enabled");
		}
		client->common.auth_attempts++;
		client_send_line(client, "* NO [ALERT] STARTTLS requires");
		client_send_tagline(client, "NO STARTTLS required");
		return 1;
	}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090115/f8839cbd/attachment.bin 


More information about the dovecot mailing list