Ronald Leach wrote:
Hello, having difficulty setting up a 'secure-only' service on a
non-standard port.
Upgraded version on the server to the latest backport available for
the server, having saved the conf file. Started from scratch with
standard settings. Particularly:
protocol = imap imaps
listen = *
Checking wiki1 and wiki2, I think that port 143 can be used for a
service in both encrypted and unencrypted operations. (Wiki2
describes how port 143 can be used with or without STARTTLS.)
143 only worked when protocols = imap was present.
In this case, Thunderbird (on a Vista client) worked in 'TLS' mode.
The log showed authentication using PLAIN, and TLS secured. The wiki
implies that TLS provides end to end (client to dovecot) encryption,
and (I think) means that the initial username/password exchange is,
therefore, also protected. (On the basis that the link protection is
built before the authentication sequence is started.)
But I want to force secure working - in some kind of secure-only mode,
so that internet-based users can reach the server securely. So I
changed the protocols to:
protocol = imaps
with:
disable_plaintext_auth = yes
In this configuration, TB could not connect on 143, but only on 993,
*and*, only if TB's SSL option is selected (not its TLS option). This
was good, and bad.
Good, because it 'forced' use of a secure connection (assuming that in
this mode the connection is *actually* protected end-to-end); the
email client asked if Dovecot's certificate should be accepted, so
there was certainly some protection going on at some point.
But this was *bad*, I thought, because the wiki suggests
http://wiki.dovecot.org/SSL
that TLS has replaced SSL, so I am not sure that using SSL is the
proper thing to do. Incidentally - almost in a tribute to the wiki
article - Dovecot recorded the authentication as TLS.
I think I've disabled insecure access from any client - which is a
pity because we have one client application that is not
SSL/TLS-capable, as I mentioned before. The Dovecot website also
talks about a proxy operation, so I may set up an insecure proxy on
our other server, and let that proxy for that one application.
Otherwise, I think it is running securely, which is a good step
forward to allow access from the internet.
regards, Ron
