[Dovecot] imap, imaps, ports; config for secure-only service

Ronald Leach ronleach at tesco.net
Sat Aug 21 20:45:15 EEST 2010 

Hello, having difficulty setting up a 'secure-only' service on a
non-standard port.

Objective is to open a secure Dovecot service on an internet-visible
port, while also using an insecure service for hosts on an internal
network (so that one particular client which is not SSL/TLS-capable
can continue to use the service).

Checking wiki1 and wiki2, I think that port 143 can be used for a
service in both encrypted and unencrypted operations.  (Wiki2
describes how port 143 can be used with or without STARTTLS.)  I've
managed to run both TB/Vista, and KMail/Debian on 143 from local
machines, and they seem to work fine.  (Though they do only work if
the clients are set to use 'unencrypted logins' such as KMail's 'clear
text' setting, and TB's 'don't use secure authentication'.)  Dovecot's
SSL certificate on the server expires in 2028.

But I cannot get my 'secure-only service' working at all.  I've chosen
port 10943 for that service, and have been testing from both KMail on
the server, and TB/Vista on another local machine.

Here's the config:

protocol imap {

# inet users, and also users presented from offsite via an SSH tunnel,
# will use IMAP (any capability) on 143.
      listen = *:143
# 143 will not be reachable from outside the internal network (except
# via an SSH tunnel)
#
# External users will be allowed only to use port 10943 (as forwarded
# from the gateway), and will have to use SSL
      ssl_listen = *:10943
}


Other settings include:

#other settings
protocols = imap imaps
disable_plaintext_auth = no
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
ssl_verify_client_cert = no
ssl_cipher_list = ALL:!LOW
   ssl_require_client_cert = no
   ssl_username_from_cert = no
mail_location = maildir:~/Maildir

#log and debug settings
mail_debug = yes
auth_debug = yes

Log from a successful session on port 143:

Logs (using port 143, KMail on the server)

  14:43:22  auth(default): client in:
AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=127.0.0.1^Irip=127.0.0.1^Iresp=<hidden>

  14:43:22  auth(default): client out: OK^I1^Iuser=ron

  14:43:22  auth(default): master in: REQUEST^I1^I4057^I1

  14:43:22  auth(default): master out:
USER^I1^Iron^Isystem_user=ron^Iuid=1001^Igid=1001^Ihome=/home/ron

  14:43:22  IMAP(ron): Effective uid=1001, gid=1001

  14:43:22  IMAP(ron): maildir: data=/home/ron/Maildir

  14:43:22  IMAP(ron): maildir: root=/home/ron/Maildir,
index=/home/ron/Maildir, control=, inbox=

  14:43:22  imap-login: Login: user=<ron>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, TLS


Unsuccessful session

Logs (using 10943, KMail on the server) - absolutely no sign of any
authentication, and the client reports a timeout.

  17:03:30  imap-login: Disconnected: Inactivity: rip=127.0.0.1,
lip=127.0.0.1, TLS handshake

  17:04:06  imap-login: Disconnected: rip=127.0.0.1, lip=127.0.0.1,
TLS handshake

  17:05:08  imap-login: Disconnected: Inactivity: rip=127.0.0.1,
lip=127.0.0.1, TLS handshake


143 works fine, so Dovecot is (of course) perfectly good at managing
the auth and service, so I must have something wrong in the config.  I
cannot see it.  Could anyone share a config they've used for
*secure-only* IMAP service on an internet-visible port?  I'd like to
compare the settings.

regards, Ron

More information about the dovecot mailing list