why is dovecot "Allowing any password"

Aki Tuomi aki.tuomi at dovecot.fi
Thu Mar 22 10:56:18 EET 2018

On 22.03.2018 10:55, mj wrote:
> On 03/22/2018 09:34 AM, Aki Tuomi wrote:
>> I have no idea*WHY*  it is required by SOGo. It does not make sense.
> Well, the thing is: SOGo has this ability to behave like a *real*
> exchange server, as if it's running on a windows server. And this
> enables Outlook to connect to it like it would to an exchange server.
> (so: not in imap mode, and not using regular username/password
> authentication)
> Normally, SOGo simply reuses the provided username/password to connect
> to the imap server, but in the above scenario, these are not available.
> The same goes for a SAML2 authenticated SOGo webmail logon.
> In these scenarios, SOGo uses the connection, to logon to
> imap. Since it does know the username.
> I guess a better solution would be for SOGo to be able to do
> 'transformations' to the username/password, to change the regular
> username/unknownpassword into username*master/masterpassword, and get
> rid of the passwordless listener.
> Right?
> But SOGo doesn't do that. (afaik)
> MJ

I would recommend using master password (that is, replace nopassword=y
with password=staticpassword). I know that from localhost perspective
this isn't much different, but it will reduce accidents.


More information about the dovecot mailing list