Question about verbose_proctitle

J Doe general at nativemethods.com
Fri Jul 13 03:45:10 EEST 2018 

> On Jul 10, 2018, at 7:19 PM, J Doe <general at nativemethods.com> wrote:
> 
> Hello,
> 
> I have a question relating to the detail that the verbose_proctitle parameter enables for ps.
> 
> I have TLS configured for IMAP as follows:
> 
>    /etc/dovecot/dovecot.conf
>        ssl = required
>        ssl_cert = </path/to/cert.pem>
>        ssl_key = </path/to/key.pem>
> 
>        protocols = imap lmtp
> 
>        service imap-login {
>            # Disable insecure IMAP over TCP 143
>            inet_listener imap {
>                port=0
>            }
>        }
> 
>        . . . 
> 
>        verbose_proctitle = yes
> 
> If I have a single MUA connect (Apple Mail in this case), I see:
> 
>    $ ps aux | grep -i dovevot
> 
>        dovenull  5552  0.0  0.1  18820  5444 ?        S    18:53   0:00 dovecot/imap-login [1 connections (1 TLS)]
>        vmail       5553  0.3  0.1  13612  4304 ?        S    18:53   0:00 dovecot/imap [user at example.com 1.2.3.4 IDLE]
> 
> The first part makes sense to me - imap-login is showing the user being connected via imap-login and with TLS.
> The second part, however, shows the IMAP session with the username, IP address and IMAP command (IDLE),
> but it does not state TLS.
> 
> Does this mean that I have logins for IMAP connections protected by TLS but the actual IMAP traffic (mail
> contents, etc.), is *NOT* configured to use TLS ?  That is to say, IMAP traffic is flowing over port 993 without
> TLS ?
> 
> From the wiki [1] it appears to state that I only have to configure TLS settings for IMAP if the IMAP protocol is
> being secured via a *DIFFERENT* TLS certificate.
> 
> Is this correct ?
> 
> Thanks, 
> 
> - J
> 
> Sources:
> 
>    [1] https://wiki2.dovecot.org/SSL/DovecotConfiguration

Hi,

I was able to partially answer my question, today.

I used tcpdump to record the traffic between a single client computer and the server running Dovecot and can confirm that all of the IMAP traffic to and from the server was over TLS 1.2 with the configuration I mentioned (see previous e-mail above).  This still makes me wonder, though, why Dovecot does not specify “TLS” when I use ps:

    /etc/dovecot/dovecot.conf
        . . .
        verbose_proctitle = yes
        . . .

    $ ps aux | grep -I dovevot

        dovenull  5552  0.0  0.1  18820  5444 ?        S    18:53   0:00 dovecot/imap-login [1 connections (1 TLS)]
        vmail       5553  0.3  0.1  13612  4304 ?        S    18:53   0:00 dovecot/imap [user at example.com 1.2.3.4 IDLE]

I’m aware that this is because the code does not state to specify “TLS” for the dovecot/imap [user at example.com 1.2.3.4 IDLE] line of output, but I’m curious as to why that decision was made ?

Thanks,

- J

More information about the dovecot mailing list