dovecot: trying to block non-encrypted connections

0

Short and simple -- I don't understand why this is still working.

My configs have

disable_plaintext_auth = yes
ssl = required

which, according to the docs, means

SSL/TLS is always required, even if non-plaintext authentication mechanisms are used. Any attempt to authenticate before SSL/TLS is enabled will cause an authentication failure.

And yet I can still

$ telnet 0 110
+OK Dovecot ready.
user xxxxxx
+OK
pass xxxxxx
+OK Logged in.
list
+OK 2 messages:
1 3761
2 4057
.
quit

What am I doing wrong?

hymie

Posted 2016-09-25T23:46:21.340

Reputation: 1 011

Answers

1

Note that plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they're assumed to be secure anyway. This applies to all connections where the local and the remote IP addresses are equal. Also IP ranges specified by login_trusted_networks setting are assumed to be secure.

http://wiki.dovecot.org/SSL/DovecotConfiguration

Kondybas

Posted 2016-09-25T23:46:21.340

Reputation: 499

D'oh! Thank you very much. Indeed I get the expected error from remote hosts. – hymie – 2016-09-26T12:11:39.333

Asked: 2016-09-25T23:46:21.340

Viewed: 51 times

Active: 2016-09-26T06:11:16.647