[Dovecot] SSL only for external connections

[Simon Brereton]

> -----Original Message-----
> From: dovecot-bounces at dovecot.org [mailto:dovecot-
> bounces at dovecot.org] On Behalf Of Dick Middleton
> On 09/30/11 18:15, Terry Carmen wrote:
> >
> > If SSL/TLS works from the outside, but not the inside, you should
> > probably find out why and fix that instead.
> >
> > What is the actual error text?
> 
> In my limited experience there are two main reasons why it can work
> from outside but not inside.  One is a routing problem.  The common
> problem is trying to connect from inside using the outside IP address
> where the replies try to take a different route back.
> 
> The second reason is to do with the SSL certificate which will have a
> CN indicating the server name.  If you try to connect from the inside
> the server name will not match and you'll get a certificate error.
> 
> A third possibility is you're trying to use TLS on an SSL connection.
> You need to use port 143 for TLS and 993 for SSL.
> 
> However your error messages show an authentication error and I
> suspect you are using an encrypted password on a connection that
> doesn't support it.  It's fairly common if TLS is demanded that PLAIN
> auth is the only method accepted.
> 
> Without more detail one can only guess.

1) No.
2) Yes.
3) No.

Your postulation about the certificate is a good one.  The weird thing is that the error is not consistent, which is why I hadn't caught it before I was idly trawling through the logs.

As Michael says - I can (and probably should) turn this off in the horde config.

But the question remains - if only because it's now there - how does one limit services effectively in Dovecot.  In Courier it was fairly easy and well documented.  There's no reason for me to offer IMAPS or POP3S to localhost (because of the certificate issue) and there's also no reason for me to offer POP3 to localhost either.

For posterity and for my own edification it would be nice to know how to do that.

Thanks for the help and input.

Simon