I think the idea here is to keep clients from inadvertently using a
configuration that would result in their password being sent in the
clear. This is in order to enforce, as opposed to simply allowing, a
good security policy.
Dovecot has such a configuration option:
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = no
disable_plaintext_auth = yes
--
-Eric 'shubes'
On 02/04/2011 02:10 AM, Tonix (Antonio Nati) wrote:
Why do you want to force TLS? You achieve same results, enabling both
TLS and normal smtp, just accepting e-mails from authenticated users
It is enough you force authentication, using chkuser 2.0.9 and
*CHKUSER_EXTRA_MUSTAUTH_VARIABLE parameter
*(http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html#MustAuth).
With insertion of "export CHKUSER_MUSTAUTH="" on running script, you
enable acceptance of e-mails only from authenticated users.
Anyway, if you want absolutely and only TLS, you can have it using
stunnel, which starts a TLS session and then runs normal SMTP (see
http://www.ekkaia.org/software/mail/qmailssl.php for examples).
It can be run over each single service (pop, imap, etc).
Regards,
Tonino
Il 03/02/2011 20:20, Jeremy Utley ha scritto:
Hello everyone!
We're using a toaster installation for our primary mail server at my
company, and over the last few weeks we've been working on configuring
everyone's mail clients to use SSL for sending& receiving e-mail.
Now that we have everyone converted over to use of SSL, we'd like to
stop all non-SSL access. For imap and pop3, it was quite simple, I
simply disabled the imap4 and pop3 run scripts in
/var/qmail/supervise. However, for SMTP, I haven't had much luck yet.
We'd like to force the submission port 587 to require TLS and
SMTP-Auth before a message is sent out., while leaving SMTP port 25
un-modified. I had read on another qmail site that you could do this
by use of a FORCE_TLS=1 variable in the run script, but that did not
work, so I suspect that this patch is not in the toaster packages (and
running strings against /var/qmail/bin/qmail-smtpd seems to bear that
out). Is there any way with the toaster to enforce TLS usage, and
reject any mail that's not TLS. We'd like to stick with TLS so we
don't have to reconfigure everyone's mail clients for SMTPS, which is
deprecated at any rate.
Thanks for any help you all can give!
Jeremy
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
