[Dovecot] Enabling security on POP3 and IMAP

Mon Sep 28 13:04:29 EEST 2009

Hello,

Sorry people - my problem is actually the opposite of what I wrote
below... POP3 gives no encryption options whatsoever, and IMAP defaults
correctly, but still gives the option for no encryption.

Also, the SSL section of dovecot.conf is here: http://pastebin.ca/1582348

Thanks again!

Richard.

Richard Hobbs wrote:
> Hello,
> 
>>> Is it possible to offer encrypted and non-encrypted services
>>> simultaneously, so people have a choice of whether they want
>>> security or not? I know that's a bit weird, but for testing
>>> it would be useful.
>> No problem. Basically you just need to specify the certificate
>> (ssl_cert_file) and the key (ssl_key_file) in the config, and
>> add 'imaps' and 'pop3s' to 'protocols'.
> 
> Thanks for the advice... however, it has only partially worked.
> 
> When i "check what the server supports" in Kmail when setting up a new
> account in my email client, for POP3, it says it supports None, SSL and
> TLS and defaults to TLS, and auth methods are Clear text and Plain.
> 
> Is there a way to get rid of the "None" method for encryption? I do not
> have "pop3" in the protocols line - only "pop3s".
> 
> As for IMAP, the problem is worse... all i get for IMAP is "No
> encryption with clear text passwords". SSL/TLS just doesn't seem to be
> an option for IMAP despite "imaps" being in the protocols line and
> "imap" *not* being there.
> 
> For both these tests, rightly or wrongly, i used the standard ports (110
> for POP3, 143 for IMAP). I know SSL typically operates on higher ports
> numbers, at least for IMAP, but I dont' know how this all works when you
> turn off non-encrypted protocols.
> 
> Any advice gratefully received!
> 
> Thanks again,
> Richard.
> 
> 
> Patrick Nagel wrote:
>> Hi Richard,
>>
>> On 2009-09-03 16:38, Richard Hobbs wrote:
>>> Currently, on our new test server, I am offering IMAP on 143 and POP3 on
>>> 110.
>>> We would like to enable security on both of these protocols to attempt
>>> to eliminate the risk from an internal
>>> password-grabbing/content-grabbing attack.
>>> I presume this would mean enabling SSL, and a more securure
>>> authentication, right? Or are plain text passwords just sent over the
>>> SSL, and therefore perfectly secure?
>> Yes, plain text passwords are fine with SSL/TLS, since the connection gets
>> secured before the password is sent.
>>
>>> Also, what are the steps to enable security for these protocols on an
>>> already-configured server?
>>> Is it possible to offer encrypted and non-encrypted services
>>> simultaneously, so people have a choice of whether they want security or
>>> not? I know that's a bit weird, but for testing it would be useful.
>> No problem. Basically you just need to specify the certificate (ssl_cert_file)
>> and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
>> 'protocols'.
>>
>>> Finally, is there a way to monitor which users are connecting over the
>>> secure ports and which users are connecting over the non-secure ports?
>> You can see it in the log.
>>
>> Patrick.
>>
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> 
> 
> 

-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.hobbs at crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999        Mobile: +44 7811 803377
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090928/25c6bc1e/attachment.bin 