[Dovecot] Enabling security on POP3 and IMAP

Richard Hobbs richard.hobbs at crl.toshiba.co.uk
Mon Sep 28 13:13:28 EEST 2009 

Hello,

Sorry people - i'm an idiot! ;-)

I was testing against our new hostnames that we setup for the new mail
server. Trouble was - these hostnames were setup initially to point at
the old mail server and are still doing so.

Having tested against the new mail server's IP address, everything works
fine!

One question though... before I accept the certificate, i get warnings.
One says the cert is not trusted (which is fine - it's self-signed). The
other warning, however, mentions a hostname mismatch. Is there any way
to put all of the hostnames we'll ever use into that certificate, so
regardless of whether people are access "mail.domain", "pop3.domain" or
"imap.domain", the hostname mismatch does not occur?

Thanks again!

Richard.


Richard Hobbs wrote:
> Hello,
> 
> Sorry people - my problem is actually the opposite of what I wrote
> below... POP3 gives no encryption options whatsoever, and IMAP defaults
> correctly, but still gives the option for no encryption.
> 
> Also, the SSL section of dovecot.conf is here: http://pastebin.ca/1582348
> 
> Thanks again!
> 
> Richard.
> 
> 
> Richard Hobbs wrote:
>> Hello,
>>
>>>> Is it possible to offer encrypted and non-encrypted services
>>>> simultaneously, so people have a choice of whether they want
>>>> security or not? I know that's a bit weird, but for testing
>>>> it would be useful.
>>> No problem. Basically you just need to specify the certificate
>>> (ssl_cert_file) and the key (ssl_key_file) in the config, and
>>> add 'imaps' and 'pop3s' to 'protocols'.
>> Thanks for the advice... however, it has only partially worked.
>>
>> When i "check what the server supports" in Kmail when setting up a new
>> account in my email client, for POP3, it says it supports None, SSL and
>> TLS and defaults to TLS, and auth methods are Clear text and Plain.
>>
>> Is there a way to get rid of the "None" method for encryption? I do not
>> have "pop3" in the protocols line - only "pop3s".
>>
>> As for IMAP, the problem is worse... all i get for IMAP is "No
>> encryption with clear text passwords". SSL/TLS just doesn't seem to be
>> an option for IMAP despite "imaps" being in the protocols line and
>> "imap" *not* being there.
>>
>> For both these tests, rightly or wrongly, i used the standard ports (110
>> for POP3, 143 for IMAP). I know SSL typically operates on higher ports
>> numbers, at least for IMAP, but I dont' know how this all works when you
>> turn off non-encrypted protocols.
>>
>> Any advice gratefully received!
>>
>> Thanks again,
>> Richard.
>>
>>
>> Patrick Nagel wrote:
>>> Hi Richard,
>>>
>>> On 2009-09-03 16:38, Richard Hobbs wrote:
>>>> Currently, on our new test server, I am offering IMAP on 143 and POP3 on
>>>> 110.
>>>> We would like to enable security on both of these protocols to attempt
>>>> to eliminate the risk from an internal
>>>> password-grabbing/content-grabbing attack.
>>>> I presume this would mean enabling SSL, and a more securure
>>>> authentication, right? Or are plain text passwords just sent over the
>>>> SSL, and therefore perfectly secure?
>>> Yes, plain text passwords are fine with SSL/TLS, since the connection gets
>>> secured before the password is sent.
>>>
>>>> Also, what are the steps to enable security for these protocols on an
>>>> already-configured server?
>>>> Is it possible to offer encrypted and non-encrypted services
>>>> simultaneously, so people have a choice of whether they want security or
>>>> not? I know that's a bit weird, but for testing it would be useful.
>>> No problem. Basically you just need to specify the certificate (ssl_cert_file)
>>> and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
>>> 'protocols'.
>>>
>>>> Finally, is there a way to monitor which users are connecting over the
>>>> secure ports and which users are connecting over the non-secure ports?
>>> You can see it in the log.
>>>
>>> Patrick.
>>>
>> ______________________________________________________________________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email
>> ______________________________________________________________________
>>
>>
>>
> 

-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.hobbs at crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999        Mobile: +44 7811 803377
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090928/269800e9/attachment-0001.bin

More information about the dovecot mailing list