Thanks Andy. Just to be sure on this: I had the impression that
STARTTLS could be used also with port 143? At least reading
https://wiki.dovecot.org/SSL indicates so:

"Clients using STARTTLS work by connecting to the regular unencrypted
port and immediately issue a STARTTLS command, after which the session
is encrypted."

So it shouldn't matter if I use 143 or 993 as a port?

My users should all use TLS (configured to their clients). I'm still
wondering about the DIGEST-MD5: what is that auth mechanism for and
why did my toaster conf use it? Anything bad that can happen by
removing it? And what is the difference between PLAIN and LOGIN auth
mechanisms? Are there client configs For Outlook / Thunderbird / Apple
Mail that could be broken by this?

Best,
Peter



On Tue, Aug 14, 2018 at 11:25 AM, Andrew Swartz <awswa...@acsalaska.net> wrote:
> Peter,
>
> If you are using ports 110/143, which are clear-text, then you should
> switch to 993/995 (if possible, of course).
>
> Ports 993/995 are never intentionally clear-text; they are either TLS or
> STARTTLS. Many servers/clients can be configured for either, but they
> cannot be configured for both because the initial protocol sequences are
> incompatible.
>
> If 993/995 are configured for TLS, you can use PLAIN auth method and not
> give it another thought.
>
> But if configured for STARTTLS, it must be set to "require" STARTTLS
> rather than just "if available".  If you can "require" STARTTLS, then
> PLAIN auth is secure because the login cannot not be sent unencrpyted.
>
> But if the connection is configured as "STARTTLS if available", then
> failure to initiate the STARTTLS will result in continuing with a clear
> text session.  In this scenario, a PLAIN auth would be very dangerous.
>
> Hope this helps.
>
> -Andy
>
>
> On 8/13/2018 11:43 PM, Peter Peltonen wrote:
>> Thanks for the suggestions!
>>
>> So if I have only plain and login auth mechanisms enabled, what does
>> that mean in practice security wise?
>>
>> Any ideas why the error is happening sometimes but not always and why
>> aut_cache settings would fix the problem? Is it related to caching
>> credentials for different devices / clients for same account?
>>
>> Best,
>> Peter
>>
>> On Tue, Aug 14, 2018 at 5:52 AM, Eric Broch <ebr...@whitehorsetc.com> wrote:
>>> I'd remove DIGEST-MD5 from 'auth_mechanisms'.
>>>
>>>
>>>
>>> On 8/13/2018 3:01 PM, Peter Peltonen wrote:
>>>>
>>>> I have a user with Outlook 2016 having this error appearing in the
>>>> Dovecot logs and not being able to login when it occurs
>>>>
>>>> The strange thing is that if I restart dovecot then the Outlook can
>>>> login and no error:
>>>>
>>>> method=DIGEST-MD5, rip=xxx, lip=yyy, mpid=23280, TLS
>>>>
>>>> What I have for auth mechanisms in toaster.conf is:
>>>>
>>>> auth_mechanisms = plain login digest-md5
>>>>
>>>> I thought it was a dovecot cache issue and I changed
>>>>
>>>>    cache_key=%u
>>>>
>>>> to
>>>>
>>>>    cache_key=%u%r
>>>>
>>>> but the problem reappeared after a week.
>>>>
>>>> This is an old QMT installation on COS5.
>>>>
>>>> Best,
>>>> Peter
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>>>
>>>
>>> --
>>> Eric Broch
>>> White Horse Technical Consulting (WHTC)
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>
> --
> Andrew W. Swartz, MD
> Departments of Emergency Medicine, Family Medicine, and Surgery
> Yukon-Kuskokwim Delta Regional Hospital
> Bethel, Alaska
>

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to