Required SSL with exceptions
List
list at airstreamcomm.net
Mon Dec 8 22:01:43 UTC 2014
On 12/8/14, 1:45 PM, Robert Schetterer wrote:
> Am 08.12.2014 um 19:41 schrieb List:
>> I have a Dovecot cluster which is on separate machines from my
>> webmail/caldav/cardav cluster, and I currently have the system setup
>> with ssl = required. Unfortunately the caldav/cardav server I am
>> running doesn't support STARTTLS so I was wondering if there is a way to
>> still enforce ssl for every connection with the exception of a certain
>> subnet, or if there is a better way to accomplish this without install a
>> local install of Dovecot on each of my caldav/cardav servers.
> perhaps this helps
>
> http://wiki2.dovecot.org/SSL/DovecotConfiguration?highlight=%28trusted%29
>
>
> There are a couple of different ways to specify when SSL/TLS is required:
>
> disable_plaintext_auth=yes allows plaintext authentication only when
> SSL/TLS is used first.
>
> ssl = required requires SSL/TLS also for non-plaintext authentication.
>
> If you have only plaintext mechanisms enabled (auth { mechanisms =
> plain login } ), you can use either (or both) of the above settings.
> They behave exactly the same way then.
>
> Note that plaintext authentication is always allowed (and SSL not
> required) for connections from localhost, as they're assumed to be
> secure anyway. This applies to all connections where the local and the
> remote IP addresses are equal. Also IP ranges specified by
> login_trusted_networks setting are assumed to be secure.<<<<
>
>
>
> Best Regards
> MfG Robert Schetterer
>
Essentially we would like to host IMAP with SSL enforced for any
connections coming from anywhere except the subnet where our other mail
servers reside. The idea is to not install a local instance of dovecot
on the webmail/carddav/caldav servers to reduce the number of instances
that need to be managed. Is it possible to have two imap listeners,
where ssl is enforced on one port, and not on another?
More information about the dovecot
mailing list