[Dovecot] Allowing non-SSL connections only for certain Password Databases
Dan Pollock
pollock at theorem.ca
Wed Apr 23 08:50:37 UTC 2014
On Apr 23, 2014, at 1:38 AM, Benjamin Podszun <dar at darklajid.de> wrote:
> On Tuesday, April 22, 2014 3:31:47 PM CEST, Urban Loesch wrote:
>> Hi,
>>
>>> Is there a way to set "disable_plaintext_auth" to different values for different Password Databases? Is there another way to do it?
>>
>> Why do you not force SSL for all users?
>>
>> I have no idea how this could be made with different databases. I have only build a solution for all users stored in mysql.
>>
>> I'm able to force SSL for imap and pop3 on a per user basis with e.g.:
>>
>> ...
>> password_query = SELECT password FROM users WHERE userid = '%u' AND allow_login = 'y' AND ( force_ssl = 'y' OR '%c' = 'secured');
>
> Waitasecond. I might be totally off here, but the way I read that query you accept plaintext credentials, unsecured and then check the DB. After which you might say "You're not allowed to log in".
>
> If that is correct every user might send their credentials over unsecured connections?
>
> In my opinion this doesn't help. Clients cannot know in advance that they shouldn't try to login.
>
> I guess I'd either
>
> - drop the requirement (best option, hit the users that don't support TLS or offer them help to upgrade/fix their setup)
>
> - live with the possibility that the system users are potentially disclosing their credentials.
>
>
> Take a step back: A random client connects to dovecot. It didn't log in yet. How would you change the capabilities to reflect 'login without starttls is allowed or not', depending on a username that you cannot know at this point?
>
> My take, ignoring the "There shouldn't be a need for that" quip, is that this is next to impossible. And not worth the challenge.
>
> Ben
I would like to move everyone onto more modern mail programs, but at the moment I have a couple of them that are stuck using very old software installed for them on work computers. The rest of my clients can connect on ports 993 and 995 without it being a problem.
It's far from a perfect setup.
This is quite easy to set up on Courier-imap, but for a number of reasons I would much rather be using Dovecot. (In courier-imap, you can configure different password databases independently for each of pop3, imap, pop3-ssl and imap-ssl.)
Given that Dovecot features seem to be a superset of those from Courier-imap so far, I was hoping this configuration option would exist there as well.
Dan
More information about the dovecot
mailing list