Hello, and what is the problem of allowing gssapi externally? Since the users do not have the kerberos ticket, they will use plain auth then, if you allow both. Do not they?
Marek Odoslané pomocou bezpečného emailu Proton Mail. pondelok 19. januára 2026, 4:53, r.barclay--- via dovecot <[email protected]> napísal/a: > > > Hi, > > I'm setting up a new IMAPS server using Dovecot 2.4 at the moment. > I'd like my network internal users to authenticate using GSSAPI. > The server is also exposed to the Internet for smart phone email access. I > want to offer PLAIN login only for external users as they can't be legitimate > internal Kerberos users. (Just as an additional layer of security.) > > Would this approach work? > > service imap-login { > inet_listener imaps_external { > port = 1993 > ssl = yes > auth_mechanisms = plain login > } > inet_listener imaps_internal { > port = 7993 > ssl = yes > auth_mechanisms = plain login gssapi > } > } > > Then I'd allow only port 1993 externally and keep port 7993 for the LAN. > > Thank you for your advice! > Reg > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
