[Dovecot] Allowing non-SSL connections only for certain Password Databases

Benjamin Podszun dar at darklajid.de
Wed Apr 23 08:58:05 UTC 2014 

On Wednesday, April 23, 2014 10:50:37 AM CEST, Dan Pollock wrote:
> On Apr 23, 2014, at 1:38 AM, Benjamin Podszun <dar at darklajid.de> wrote:
>
>> On Tuesday, April 22, 2014 3:31:47 PM CEST, Urban Loesch wrote:
>  ...
>
>
> I would like to move everyone onto more modern mail programs, 
> but at the moment I have a couple of them that are stuck using 
> very old software installed for them on work computers. The rest 
> of my clients can connect on ports 993 and 995 without it being 
> a problem. 

What's wrong with starttls? How are the ports relevant?
Do you happen to know what the problem is? Total lack of TLS support (I .. 
cannot quite believe that) or is it a problem with key sizes/ciphers or 
whatever, i.e. with your configuration vs. the legacy apps?

> It's far from a perfect setup. 
>
> This is quite easy to set up on Courier-imap, but for a number 
> of reasons I would much rather be using Dovecot. (In 
> courier-imap, you can configure different password databases 
> independently for each of pop3, imap, pop3-ssl and imap-ssl.)

Which is really not that helpful, I think. Joe random system user can still 
set up his mailclient to point to mail.yourdomain.tld and try to login 
unencrypted. You'll only deny him afterwards (even with a different 
password DB), after the password was transmitted over unencrypted wifi in 
his local StarBucks™ or equivalent. Or what am I missing here? All system 
users are too clever for that? In that case they can already use the ports 
listed above (or set their mail client to require starttls on 143/110). If 
they're not that security conscious, what protects them from the scenario 
above?

> Given that Dovecot features seem to be a superset of those from 
> Courier-imap so far, I was hoping this configuration option 
> would exist there as well. 

See above: What would you gain? Would that actually help you?
In the end it's your setup and I don't want to come across and say "You're 
doing it wrong" here, but so far it's hard to see what you're trying to 
archive with that .. feature?

Regards,
Ben

More information about the dovecot mailing list