[Dovecot] Allow both SSL/993 and STARTTLS/143 connections (secure only)
Charles Marcus
CMarcus at Media-Brokers.com
Fri Jan 3 15:32:49 EET 2014
Hi all,
Ok, up until now, I've only always allowed IMAPS connections to dovecot
on port 993.
I want to also start allowing clients to user port143+STARTTLS, but I
walso want to make sure both ports are locked down to ONLY allow secure
connections.
So... is disable_plaintext_auth = yes in the main config enough to
accomplish this?
http://wiki2.dovecot.org/SSL/DovecotConfiguration says:
There are a couple of different ways to specify when SSL/TLS is required:
*
disable_plaintext_auth=yes allows plaintext authentication
<http://wiki2.dovecot.org/Authentication/Mechanisms> only when
SSL/TLS is used first.
*
ssl = required requires SSL/TLS also for non-plaintext
authentication <http://wiki2.dovecot.org/Authentication/Mechanisms>.
*
If you have only plaintext mechanisms enabled
(auth { mechanisms = plain login } ), you can use either (or both)
of the above settings. They behave exactly the same way then
and the comments in 10-auth.conf say:
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes
These seem to be saying that all I need to do is set either or both
(ssl-required and/or disable_plaintext_auth=yes).
I'm looking for the simplest, and don't like redundant/unnecessary
settings, so... which is the best/preferred way?
And what is the difference between ssl=required and
disable_plaintext_auth=yes?
Thanks,
--
Best regards,
*/Charles/***
More information about the dovecot
mailing list