[Dovecot] Allow both SSL/993 and STARTTLS/143 connections (secure only)

Charles Marcus CMarcus at Media-Brokers.com
Fri Jan 3 15:32:49 EET 2014


Hi all,

Ok, up until now, I've only always allowed IMAPS connections to dovecot 
on port 993.

I want to also start allowing clients to user port143+STARTTLS, but I 
walso want to make sure both ports are locked down to ONLY allow secure 
connections.

So... is disable_plaintext_auth = yes in the main config enough to 
accomplish this?

http://wiki2.dovecot.org/SSL/DovecotConfiguration says:

There are a couple of different ways to specify when SSL/TLS is required:

  *

    disable_plaintext_auth=yes allows plaintext authentication
    <http://wiki2.dovecot.org/Authentication/Mechanisms> only when
    SSL/TLS is used first.

  *

    ssl = required requires SSL/TLS also for non-plaintext
    authentication <http://wiki2.dovecot.org/Authentication/Mechanisms>.

  *

    If you have only plaintext mechanisms enabled
    (auth { mechanisms = plain login } ), you can use either (or both)
    of the above settings. They behave exactly the same way then

and the comments in 10-auth.conf say:

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes

These seem to be saying that all I need to do is set either or both 
(ssl-required and/or disable_plaintext_auth=yes).

I'm looking for the simplest, and don't like redundant/unnecessary 
settings, so... which is the best/preferred way?

And what is the difference between ssl=required and 
disable_plaintext_auth=yes?

Thanks,

-- 

Best regards,

*/Charles/***


More information about the dovecot mailing list