View previous topic :: View next topic |
Author |
Message |
methodtwo Apprentice

Joined: 01 Feb 2008 Posts: 231
|
Posted: Fri Jun 10, 2011 5:40 am Post subject: mutt with dovecot imaps questions |
|
|
Hi
I can connect from my mutt client box to my dovecot server after mkcert.sh has been run and the cert and key are in the correct location(according to dovecot config file) and "enable_plaintext_authentciation = no" is also in the dovecot.conf. Does this mean that user authentication is being performed by SSL or just that SSL is protecting an interior protocol that performs it's own authentication?.
If i run:
Code: | #openssl s_client -quiet -connect my_dovecot_server.domain:993 |
I get this in reponse:
Code: | verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. |
What confused me was that i read somewhere that in an imaps connection that the client sent the server a public key. I can connect from the mutt client host by typing my password. But, like i said before, is proper SSL authentication happening?. To get proper encrypted authentication and sessions do you have to be your own CA(and give the client host a cert) or go to an official CA etc or does the response i received and the fact that i can connect when enable_plaintext_authentication = no, indicate that I've already got these things? Or just one of them(authentication)?. I will post my configs if necessary.
Thank you very much for shedding some light on the subject |
|
Back to top |
|
 |
cach0rr0 Bodhisattva


Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Sat Jun 11, 2011 3:49 pm Post subject: |
|
|
AFAIK, that setting is actually backwards
it should be:
Code: |
disable_plaintext_auth = yes
|
what that does is this: if you are connecting via IMAPS (993), you can use AUTH=LOGIN,AUTH=PLAIN,CRAM-MD5,DIGEST-MD5, or anything else (I forget the other secure login types)
but if you are connecting over standard IMAP, setting disable_plaintext_auth will mean that you have to use CRAM-MD5 or some other type of secure login, and cannot use AUTH=LOGIN or AUTH=PLAIN.
That doesn't control SSL/non-SSL, that setting controls what auth types you allow over non-SSL connections.
if you only want to allow connections over SSL-enabled sockets, you'd want to adjust the protocols setting like so:
which would disallow non-SSL connections entirely. Note that if you go this route of only allowing IMAPS, enabling LOGIN/PLAIN auth is perfectly safe, as it will take place over an SSL-enabled socket.
more info here: http://wiki.dovecot.org/Authentication _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
 |
methodtwo Apprentice

Joined: 01 Feb 2008 Posts: 231
|
Posted: Sun Jun 12, 2011 5:25 am Post subject: |
|
|
So a safe way to protect clients is to use the settings i've already got. However if i want to make it so that no client may log in unless i trust them, then i need to be my own CA or go to an "official CA" and issue certs to my clients?? Or use netfilter and settle for just offering IMAPS for internal clients
Thanks for your reply btw |
|
Back to top |
|
 |
cach0rr0 Bodhisattva


Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Sun Jun 12, 2011 1:10 pm Post subject: |
|
|
client certs as opposed to username+pass basically eliminates the possibility of a brute-forced or otherwise compromised login granting anyone access (unless of course, the machine where the client cert exists gets owned, then all bets are off)
at the expense of a large amount of convenience, and you do have to show your users how to use a client cert, but it does remove that threat
http://wiki1.dovecot.org/SSL/DovecotConfiguration
under "Client certificate verification/authentication" _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|