[Dovecot] disable_plaintext_auth = no as no effect on IMAP/POP3 logins
Hello
In my installation the disable_plaintext_auth does not appear to take
effect.
I can see that the value is correct using doveconf -a but it doesn't
change anything.
Whenever attempting to log in using IMAP I get this:
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but
your client did it anyway. If anyone was listening, the password was
exposed.
ls NO [PRIVACYREQUIRED] Plaintext authentication disallowed on
non-secure (SSL/TLS) connections.
POP3 login attempts give this error:
-ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections
Besides adding disable_plaintext_auth=no to dovecot.conf I also tried
adding it specifically to the imap section.
I also tried to invoke it just for certain networks, like this:
remote 0.0.0.0 {
disable_plaintext_auth = no
}
But none of this takes any effect either. Adding the testing network as
trusted networks is working fine removing the error.
But I would rather not add the whole internet to the trusted network
section just to allow plain text logins in imap.
I'm in the process of migrating form 1.1 to 2.1 so this configuration is
for testing things out and is mainly based on the default configuration
files comming with the centos installation.
I should add that everything else in this setup is working fine.
I did many searches for information on this topic but nothing I could
find apply to my case.
I'm sorry to post such a long conf but I'm not sure what parts I could
have safely omitted.
Here goes:
# doveconf -a
# 2.1.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-220.17.1.el6.x86_64 x86_64 CentOS release 6.2 (Final)
auth_anonymous_username = anonymous
auth_cache_negative_ttl = 2 mins
auth_cache_size = 0
auth_cache_ttl = 2 mins
auth_debug = no
auth_debug_passwords = no
auth_default_realm = plain
auth_failure_delay = 2 secs
auth_first_valid_uid = 500
auth_gssapi_hostname =
auth_krb5_keytab =
auth_last_valid_uid = 0
auth_master_user_separator =
auth_mechanisms = plain
auth_realms = plain login digest-md5 cram-md5 apop ntlm
auth_socket_path = auth-userdb
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = no
auth_use_winbind = no
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_username_translation =
auth_verbose = no
auth_verbose_passwords = no
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_worker_max_count = 30
base_dir = /var/run/dovecot
config_cache_size = 1 M
debug_log_path =
default_client_limit = 1000
default_idle_kill = 1 mins
default_internal_user = dovecot
default_login_user = dovenull
default_process_limit = 100
default_vsz_limit = 256 M
deliver_log_format = msgid=%m: %$
dict_db_config =
director_doveadm_port = 0
director_mail_servers =
director_servers =
director_user_expire = 15 mins
disable_plaintext_auth = no
dotlock_use_excl = no
doveadm_allowed_commands =
doveadm_password =
doveadm_proxy_port = 0
doveadm_socket_path = doveadm-server
doveadm_worker_count = 0
dsync_alt_char = _
first_valid_gid = 1
first_valid_uid = 105
hostname = usrmta01.talkactive.net
imap_capability =
imap_client_workarounds =
imap_id_log =
imap_id_send =
imap_idle_notify_interval = 2 mins
imap_logout_format = in=%i out=%o
imap_max_line_length = 64 k
imapc_host =
imapc_master_user =
imapc_password =
imapc_port = 143
imapc_rawlog_dir =
imapc_ssl = no
imapc_ssl_ca_dir =
imapc_ssl_verify = yes
imapc_user = %u
import_environment = TZ
info_log_path = /var/log/dovecot/dovecot.run
instance_name = dovecot
last_valid_gid = 0
last_valid_uid = 0
lda_mailbox_autocreate = no
lda_mailbox_autosubscribe = no
lda_original_recipient_header =
libexec_dir = /usr/libexec/dovecot
listen = *, ::
lmtp_proxy = no
lmtp_save_to_detail_mailbox = no
lock_method = fcntl
log_path = /var/log/dovecot/dovecot.err
log_timestamp = %b %d %H:%M:%S
login_access_sockets =
login_greeting = Dovecot ready.
login_log_format = %$: %s
login_log_format_elements = user=%u method=%m rip=%r lip=%l mpid=%e %c
login_trusted_networks =
mail_access_groups =
mail_attachment_dir =
mail_attachment_fs = sis posix
mail_attachment_hash = %{sha1}
mail_attachment_min_size = 128 k
mail_cache_fields = flags
mail_cache_min_mail_count = 0
mail_chroot =
mail_debug = no
mail_fsync = always
mail_full_filesystem_access = no
mail_gid =
mail_home =
mail_location =
mail_log_prefix = %s(%u):
mail_max_keyword_length = 50
mail_max_lock_timeout = 0
mail_max_userip_connections = 10
mail_never_cache_fields = imap.envelope
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugin_dir = /usr/lib64/dovecot
mail_plugins = quota
mail_prefetch_count = 0
mail_privileged_group =
mail_save_crlf = no
mail_temp_dir = /tmp
mail_uid =
mailbox_idle_check_interval = 30 secs
mailbox_list_index = no
maildir_broken_filename_sizes = no
maildir_copy_with_hardlinks = yes
maildir_stat_dirs = no
maildir_very_dirty_syncs = no
master_user_separator =
mbox_dirty_syncs = yes
mbox_dotlock_change_timeout = 2 mins
Re: [Dovecot] disable_plaintext_auth = no as no effect on IMAP/POP3 logins
I just found the solution by coincidence.
It appears there is a configuration file named:
/etc/dovecot/conf.d/10-ssl.conf
In that file the following line was active ssl = required
That setting apparently overrides what disable_plaintext_auth has to say.
After commenting out the ssl=required entry everything works as expected :-)
Regards, Mikkel
Den 14/06/12 10.14, Mikkel skrev:
Hello
In my installation the disable_plaintext_auth does not appear to take
effect.
I can see that the value is correct using doveconf -a but it doesn't
change anything.
Whenever attempting to log in using IMAP I get this:
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but
your client did it anyway. If anyone was listening, the password was
exposed.
ls NO [PRIVACYREQUIRED] Plaintext authentication disallowed on
non-secure (SSL/TLS) connections.
POP3 login attempts give this error:
-ERR Plaintext authentication disallowed on non-secure (SSL/TLS)
connections
Besides adding disable_plaintext_auth=no to dovecot.conf I also tried
adding it specifically to the imap section.
I also tried to invoke it just for certain networks, like this:
remote 0.0.0.0 {
disable_plaintext_auth = no
}
But none of this takes any effect either. Adding the testing network as
trusted networks is working fine removing the error.
But I would rather not add the whole internet to the trusted network
section just to allow plain text logins in imap.
I'm in the process of migrating form 1.1 to 2.1 so this configuration is
for testing things out and is mainly based on the default configuration
files comming with the centos installation.
I should add that everything else in this setup is working fine.
I did many searches for information on this topic but nothing I could
find apply to my case.
I'm sorry to post such a long conf but I'm not sure what parts I could
have safely omitted.
Here goes:
# doveconf -a
# 2.1.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-220.17.1.el6.x86_64 x86_64 CentOS release 6.2 (Final)
auth_anonymous_username = anonymous
auth_cache_negative_ttl = 2 mins
auth_cache_size = 0
auth_cache_ttl = 2 mins
auth_debug = no
auth_debug_passwords = no
auth_default_realm = plain
auth_failure_delay = 2 secs
auth_first_valid_uid = 500
auth_gssapi_hostname =
auth_krb5_keytab =
auth_last_valid_uid = 0
auth_master_user_separator =
auth_mechanisms = plain
auth_realms = plain login digest-md5 cram-md5 apop ntlm
auth_socket_path = auth-userdb
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = no
auth_use_winbind = no
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_username_translation =
auth_verbose = no
auth_verbose_passwords = no
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_worker_max_count = 30
base_dir = /var/run/dovecot
config_cache_size = 1 M
debug_log_path =
default_client_limit = 1000
default_idle_kill = 1 mins
default_internal_user = dovecot
default_login_user = dovenull
default_process_limit = 100
default_vsz_limit = 256 M
deliver_log_format = msgid=%m: %$
dict_db_config =
director_doveadm_port = 0
director_mail_servers =
director_servers =
director_user_expire = 15 mins
disable_plaintext_auth = no
dotlock_use_excl = no
doveadm_allowed_commands =
doveadm_password =
doveadm_proxy_port = 0
doveadm_socket_path = doveadm-server
doveadm_worker_count = 0
dsync_alt_char = _
first_valid_gid = 1
first_valid_uid = 105
hostname = usrmta01.talkactive.net
imap_capability =
imap_client_workarounds =
imap_id_log =
imap_id_send =
imap_idle_notify_interval = 2 mins
imap_logout_format = in=%i out=%o
imap_max_line_length = 64 k
imapc_host =
imapc_master_user =
imapc_password =
imapc_port = 143
imapc_rawlog_dir =
imapc_ssl = no
imapc_ssl_ca_dir =
imapc_ssl_verify = yes
imapc_user = %u
import_environment = TZ
info_log_path = /var/log/dovecot/dovecot.run
instance_name = dovecot
last_valid_gid = 0
last_valid_uid = 0
lda_mailbox_autocreate = no
lda_mailbox_autosubscribe = no
lda_original_recipient_header =
libexec_dir = /usr/libexec/dovecot
listen = *, ::
lmtp_proxy = no
lmtp_save_to_detail_mailbox = no
lock_method = fcntl
log_path = /var/log/dovecot/dovecot.err
log_timestamp = %b %d %H:%M:%S
login_access_sockets =
login_greeting = Dovecot ready.
login_log_format = %$: %s
login_log_format_elements = user=%u method=%m rip=%r lip=%l mpid=%e %c
login_trusted_networks =
mail_access_groups =
mail_attachment_dir =
mail_attachment_fs = sis posix
mail_attachment_hash = %{sha1}
mail_attachment_min_size = 128 k
mail_cache_fields = flags
mail_cache_min_mail_count = 0
mail_chroot =
mail_debug = no
mail_fsync = always
mail_full_filesystem_access = no
mail_gid =
mail_home =
mail_location =
mail_log_prefix = %s(%u):
mail_max_keyword_length = 50
mail_max_lock_timeout = 0
mail_max_userip_connections = 10
mail_never_cache_fields = imap.envelope
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugin_dir = /usr/lib64/dovecot
mail_plugins = quota
