[Dovecot] disable_plaintext_auth = no as no effect on IMAP/POP3 logins
Mikkel
mikkel at euro123.dk
Thu Jun 14 12:15:14 EEST 2012
I just found the solution by coincidence.
It appears there is a configuration file named:
/etc/dovecot/conf.d/10-ssl.conf
In that file the following line was active ssl = required
That setting apparently overrides what disable_plaintext_auth has to say.
After commenting out the ssl=required entry everything works as expected :-)
Regards, Mikkel
Den 14/06/12 10.14, Mikkel skrev:
> Hello
>
> In my installation the disable_plaintext_auth does not appear to take
> effect.
> I can see that the value is correct using doveconf -a but it doesn't
> change anything.
>
> Whenever attempting to log in using IMAP I get this:
> * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but
> your client did it anyway. If anyone was listening, the password was
> exposed.
> ls NO [PRIVACYREQUIRED] Plaintext authentication disallowed on
> non-secure (SSL/TLS) connections.
>
> POP3 login attempts give this error:
> -ERR Plaintext authentication disallowed on non-secure (SSL/TLS)
> connections
>
> Besides adding disable_plaintext_auth=no to dovecot.conf I also tried
> adding it specifically to the imap section.
> I also tried to invoke it just for certain networks, like this:
>
> remote 0.0.0.0 {
> disable_plaintext_auth = no
> }
>
> But none of this takes any effect either. Adding the testing network as
> trusted networks is working fine removing the error.
> But I would rather not add the whole internet to the trusted network
> section just to allow plain text logins in imap.
>
> I'm in the process of migrating form 1.1 to 2.1 so this configuration is
> for testing things out and is mainly based on the default configuration
> files comming with the centos installation.
> I should add that everything else in this setup is working fine.
>
>
> I did many searches for information on this topic but nothing I could
> find apply to my case.
>
> I'm sorry to post such a long conf but I'm not sure what parts I could
> have safely omitted.
> Here goes:
>
>
> # doveconf -a
> # 2.1.1: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-220.17.1.el6.x86_64 x86_64 CentOS release 6.2 (Final)
> auth_anonymous_username = anonymous
> auth_cache_negative_ttl = 2 mins
> auth_cache_size = 0
> auth_cache_ttl = 2 mins
> auth_debug = no
> auth_debug_passwords = no
> auth_default_realm = plain
> auth_failure_delay = 2 secs
> auth_first_valid_uid = 500
> auth_gssapi_hostname =
> auth_krb5_keytab =
> auth_last_valid_uid = 0
> auth_master_user_separator =
> auth_mechanisms = plain
> auth_realms = plain login digest-md5 cram-md5 apop ntlm
> auth_socket_path = auth-userdb
> auth_ssl_require_client_cert = no
> auth_ssl_username_from_cert = no
> auth_use_winbind = no
> auth_username_chars =
> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
> auth_username_format = %Lu
> auth_username_translation =
> auth_verbose = no
> auth_verbose_passwords = no
> auth_winbind_helper_path = /usr/bin/ntlm_auth
> auth_worker_max_count = 30
> base_dir = /var/run/dovecot
> config_cache_size = 1 M
> debug_log_path =
> default_client_limit = 1000
> default_idle_kill = 1 mins
> default_internal_user = dovecot
> default_login_user = dovenull
> default_process_limit = 100
> default_vsz_limit = 256 M
> deliver_log_format = msgid=%m: %$
> dict_db_config =
> director_doveadm_port = 0
> director_mail_servers =
> director_servers =
> director_user_expire = 15 mins
> disable_plaintext_auth = no
> dotlock_use_excl = no
> doveadm_allowed_commands =
> doveadm_password =
> doveadm_proxy_port = 0
> doveadm_socket_path = doveadm-server
> doveadm_worker_count = 0
> dsync_alt_char = _
> first_valid_gid = 1
> first_valid_uid = 105
> hostname = usrmta01.talkactive.net
> imap_capability =
> imap_client_workarounds =
> imap_id_log =
> imap_id_send =
> imap_idle_notify_interval = 2 mins
> imap_logout_format = in=%i out=%o
> imap_max_line_length = 64 k
> imapc_host =
> imapc_master_user =
> imapc_password =
> imapc_port = 143
> imapc_rawlog_dir =
> imapc_ssl = no
> imapc_ssl_ca_dir =
> imapc_ssl_verify = yes
> imapc_user = %u
> import_environment = TZ
> info_log_path = /var/log/dovecot/dovecot.run
> instance_name = dovecot
> last_valid_gid = 0
> last_valid_uid = 0
> lda_mailbox_autocreate = no
> lda_mailbox_autosubscribe = no
> lda_original_recipient_header =
> libexec_dir = /usr/libexec/dovecot
> listen = *, ::
> lmtp_proxy = no
> lmtp_save_to_detail_mailbox = no
> lock_method = fcntl
> log_path = /var/log/dovecot/dovecot.err
> log_timestamp = "%b %d %H:%M:%S "
> login_access_sockets =
> login_greeting = Dovecot ready.
> login_log_format = %$: %s
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
> login_trusted_networks =
> mail_access_groups =
> mail_attachment_dir =
> mail_attachment_fs = sis posix
> mail_attachment_hash = %{sha1}
> mail_attachment_min_size = 128 k
> mail_cache_fields = flags
> mail_cache_min_mail_count = 0
> mail_chroot =
> mail_debug = no
> mail_fsync = always
> mail_full_filesystem_access = no
> mail_gid =
> mail_home =
> mail_location =
> mail_log_prefix = "%s(%u): "
> mail_max_keyword_length = 50
> mail_max_lock_timeout = 0
> mail_max_userip_connections = 10
> mail_never_cache_fields = imap.envelope
> mail_nfs_index = yes
> mail_nfs_storage = yes
> mail_plugin_dir = /usr/lib64/dovecot
> mail_plugins = quota
> mail_prefetch_count = 0
> mail_privileged_group =
> mail_save_crlf = no
> mail_temp_dir = /tmp
> mail_uid =
> mailbox_idle_check_interval = 30 secs
> mailbox_list_index = no
> maildir_broken_filename_sizes = no
> maildir_copy_with_hardlinks = yes
> maildir_stat_dirs = no
> maildir_very_dirty_syncs = no
> master_user_separator =
> mbox_dirty_syncs = yes
> mbox_dotlock_change_timeout = 2 mins
> mbox_lazy_writes = yes
> mbox_lock_timeout = 5 mins
> mbox_md5 = apop3d
> mbox_min_index_size = 0
> mbox_read_locks = fcntl
> mbox_very_dirty_syncs = no
> mbox_write_locks = fcntl
> mdbox_preallocate_space = no
> mdbox_rotate_interval = 0
> mdbox_rotate_size = 2 M
> mmap_disable = yes
> namespace inbox {
> hidden = no
> ignore_on_failure = no
> inbox = yes
> list = yes
> location =
> mailbox Drafts {
> auto = no
> special_use = \Drafts
> }
> mailbox Junk {
> auto = no
> special_use = \Junk
> }
> mailbox Sent {
> auto = no
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> auto = no
> special_use = \Sent
> }
> mailbox Trash {
> auto = no
> special_use = \Trash
> }
> prefix =
> separator =
> subscriptions = yes
> type = private
> }
> passdb {
> args = /local/config/dovecot-sql.conf
> default_fields =
> deny = no
> driver = sql
> master = no
> override_fields =
> pass = no
> }
> plugin {
> quota = maildir
> quota_rule2 = Trash:storage=+10M:messages=+100
> quota_warning = storage=80%% /local/scripts/quota-warning.sh 80
> sieve_extensions = +imapflags +notify
> trash = /local/config/dovecot-trash.conf
> }
> pop3_client_workarounds =
> pop3_enable_last = no
> pop3_fast_size_lookups = no
> pop3_lock_session = no
> pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
> pop3_no_flag_updates = no
> pop3_reuse_xuidl = no
> pop3_save_uidl = no
> pop3_uidl_format = %08Xu%08Xv
> pop3c_host =
> pop3c_password =
> pop3c_port = 110
> pop3c_rawlog_dir =
> pop3c_ssl = no
> pop3c_ssl_ca_dir =
> pop3c_ssl_verify = yes
> pop3c_user = %u
> postmaster_address =
> protocols = imap pop3 lmtp
> quota_full_tempfail = no
> recipient_delimiter = +
> rejection_reason = Your message to <%t> was automatically rejected:%n%r
> rejection_subject = Rejected: %s
> sendmail_path = /usr/sbin/sendmail
> service anvil {
> chroot = empty
> client_limit = 0
> drop_priv_before_exec = no
> executable = anvil
> extra_groups =
> group =
> idle_kill = 4294967295 secs
> privileged_group =
> process_limit = 1
> process_min_avail = 1
> protocol =
> service_count = 0
> type = anvil
> unix_listener anvil-auth-penalty {
> group =
> mode = 0600
> user =
> }
> unix_listener anvil {
> group =
> mode = 0600
> user =
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service auth-worker {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = auth -w
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol =
> service_count = 1
> type =
> unix_listener auth-worker {
> group =
> mode = 0600
> user = $default_internal_user
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service auth {
> chroot =
> client_limit = 0
> drop_priv_before_exec = no
> executable = auth
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 1
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener /var/spool/postfix/private/auth {
> group =
> mode = 0666
> user =
> }
> unix_listener auth-client {
> group =
> mode = 0600
> user =
> }
> unix_listener auth-login {
> group =
> mode = 0600
> user = $default_internal_user
> }
> unix_listener auth-master {
> group =
> mode = 0600
> user =
> }
> unix_listener auth-userdb {
> group =
> mode = 0666
> user =
> }
> unix_listener login/login {
> group =
> mode = 0666
> user =
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service config {
> chroot =
> client_limit = 0
> drop_priv_before_exec = no
> executable = config
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol =
> service_count = 0
> type = config
> unix_listener config {
> group =
> mode = 0600
> user =
> }
> user =
> vsz_limit = 18446744073709551615 B
> }
> service dict {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = dict
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener dict {
> group =
> mode = 0600
> user =
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service director {
> chroot = .
> client_limit = 0
> drop_priv_before_exec = no
> executable = director
> extra_groups =
> fifo_listener login/proxy-notify {
> group =
> mode = 00
> user =
> }
> group =
> idle_kill = 4294967295 secs
> inet_listener {
> address =
> port = 0
> ssl = no
> }
> privileged_group =
> process_limit = 1
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener director-admin {
> group =
> mode = 0600
> user =
> }
> unix_listener director-userdb {
> group =
> mode = 0600
> user =
> }
> unix_listener login/director {
> group =
> mode = 00
> user =
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service dns_client {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = dns-client
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener dns-client {
> group =
> mode = 0666
> user =
> }
> unix_listener login/dns-client {
> group =
> mode = 0666
> user =
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service doveadm {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = doveadm-server
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol =
> service_count = 1
> type =
> unix_listener doveadm-server {
> group =
> mode = 0600
> user =
> }
> user =
> vsz_limit = 18446744073709551615 B
> }
> service imap-login {
> chroot = login
> client_limit = 0
> drop_priv_before_exec = no
> executable = imap-login
> extra_groups =
> group =
> idle_kill = 0
> inet_listener imap {
> address =
> port = 143
> ssl = no
> }
> inet_listener imaps {
> address =
> port = 993
> ssl = yes
> }
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol = imap
> service_count = 0
> type = login
> user = $default_login_user
> vsz_limit = 256 M
> }
> service imap {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = imap
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 1024
> process_min_avail = 0
> protocol = imap
> service_count = 1
> type =
> unix_listener login/imap {
> group =
> mode = 0666
> user =
> }
> user =
> vsz_limit = 256 M
> }
> service indexer-worker {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = indexer-worker
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 10
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener indexer-worker {
> group =
> mode = 0600
> user = $default_internal_user
> }
> user =
> vsz_limit = 18446744073709551615 B
> }
> service indexer {
> chroot =
> client_limit = 0
> drop_priv_before_exec = no
> executable = indexer
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 1
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener indexer {
> group =
> mode = 0666
> user =
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service ipc {
> chroot = empty
> client_limit = 0
> drop_priv_before_exec = no
> executable = ipc
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 1
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener ipc {
> group =
> mode = 0600
> user =
> }
> unix_listener login/ipc-proxy {
> group =
> mode = 0600
> user = $default_login_user
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> service lmtp {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = lmtp
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol = lmtp
> service_count = 0
> type =
> unix_listener lmtp {
> group =
> mode = 0666
> user =
> }
> user =
> vsz_limit = 18446744073709551615 B
> }
> service log {
> chroot =
> client_limit = 0
> drop_priv_before_exec = no
> executable = log
> extra_groups =
> group =
> idle_kill = 4294967295 secs
> privileged_group =
> process_limit = 1
> process_min_avail = 0
> protocol =
> service_count = 0
> type = log
> unix_listener log-errors {
> group =
> mode = 0600
> user =
> }
> user =
> vsz_limit = 18446744073709551615 B
> }
> service pop3-login {
> chroot = login
> client_limit = 0
> drop_priv_before_exec = no
> executable = pop3-login
> extra_groups =
> group =
> idle_kill = 0
> inet_listener pop3 {
> address =
> port = 110
> ssl = no
> }
> inet_listener pop3s {
> address =
> port = 995
> ssl = yes
> }
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol = pop3
> service_count = 1
> type = login
> user = $default_login_user
> vsz_limit = 18446744073709551615 B
> }
> service pop3 {
> chroot =
> client_limit = 1
> drop_priv_before_exec = no
> executable = pop3
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 1024
> process_min_avail = 0
> protocol = pop3
> service_count = 1
> type =
> unix_listener login/pop3 {
> group =
> mode = 0666
> user =
> }
> user =
> vsz_limit = 18446744073709551615 B
> }
> service ssl-params {
> chroot =
> client_limit = 0
> drop_priv_before_exec = no
> executable = ssl-params
> extra_groups =
> group =
> idle_kill = 0
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol =
> service_count = 0
> type = startup
> unix_listener login/ssl-params {
> group =
> mode = 0666
> user =
> }
> user =
> vsz_limit = 18446744073709551615 B
> }
> service stats {
> chroot = empty
> client_limit = 0
> drop_priv_before_exec = no
> executable = stats
> extra_groups =
> fifo_listener stats-mail {
> group =
> mode = 0600
> user =
> }
> group =
> idle_kill = 4294967295 secs
> privileged_group =
> process_limit = 1
> process_min_avail = 0
> protocol =
> service_count = 0
> type =
> unix_listener stats {
> group =
> mode = 0600
> user =
> }
> user = $default_internal_user
> vsz_limit = 18446744073709551615 B
> }
> shutdown_clients = yes
> ssl = required
> ssl_ca =
> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
> ssl_cert_username_field = commonName
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> ssl_client_cert =
> ssl_client_key =
> ssl_crypto_device =
> ssl_key = </etc/pki/dovecot/private/dovecot.pem
> ssl_key_password =
> ssl_parameters_regenerate = 1 weeks
> ssl_protocols = !SSLv2
> ssl_verify_client_cert = no
> stats_command_min_time = 1 mins
> stats_domain_min_time = 12 hours
> stats_ip_min_time = 12 hours
> stats_memory_limit = 16 M
> stats_session_min_time = 15 mins
> stats_user_min_time = 1 hours
> submission_host =
> syslog_facility = mail
> userdb {
> args =
> default_fields =
> driver = prefetch
> override_fields =
> }
> userdb {
> args = /local/config/dovecot-sql.conf
> default_fields =
> driver = sql
> override_fields =
> }
> valid_chroot_dirs =
> verbose_proctitle = no
> verbose_ssl = no
> version_ignore = no
> protocol lda {
> mail_plugins = quota quota sieve trash
> }
> protocol imap {
> imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
> tb-lsub-flags
> imap_logout_format = bytes=%i/%o
> mail_plugins = quota quota imap_quota trash
> }
> protocol pop3 {
> mail_plugins = quota quota
> pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
> pop3_uidl_format = %08Xu%08Xv
> }
>
>
> Regards, Mikkel
More information about the dovecot
mailing list