Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
mutt with dovecot imaps questions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
methodtwo
Apprentice
Apprentice


Joined: 01 Feb 2008
Posts: 231

PostPosted: Fri Jun 10, 2011 5:40 am    Post subject: mutt with dovecot imaps questions Reply with quote

Hi
I can connect from my mutt client box to my dovecot server after mkcert.sh has been run and the cert and key are in the correct location(according to dovecot config file) and "enable_plaintext_authentciation = no" is also in the dovecot.conf. Does this mean that user authentication is being performed by SSL or just that SSL is protecting an interior protocol that performs it's own authentication?.
If i run:
Code:
#openssl s_client -quiet -connect my_dovecot_server.domain:993

I get this in reponse:
Code:
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

What confused me was that i read somewhere that in an imaps connection that the client sent the server a public key. I can connect from the mutt client host by typing my password. But, like i said before, is proper SSL authentication happening?. To get proper encrypted authentication and sessions do you have to be your own CA(and give the client host a cert) or go to an official CA etc or does the response i received and the fact that i can connect when enable_plaintext_authentication = no, indicate that I've already got these things? Or just one of them(authentication)?. I will post my configs if necessary.
Thank you very much for shedding some light on the subject
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Jun 11, 2011 3:49 pm    Post subject: Reply with quote

AFAIK, that setting is actually backwards

it should be:
Code:

disable_plaintext_auth = yes


what that does is this: if you are connecting via IMAPS (993), you can use AUTH=LOGIN,AUTH=PLAIN,CRAM-MD5,DIGEST-MD5, or anything else (I forget the other secure login types)
but if you are connecting over standard IMAP, setting disable_plaintext_auth will mean that you have to use CRAM-MD5 or some other type of secure login, and cannot use AUTH=LOGIN or AUTH=PLAIN.

That doesn't control SSL/non-SSL, that setting controls what auth types you allow over non-SSL connections.

if you only want to allow connections over SSL-enabled sockets, you'd want to adjust the protocols setting like so:

Code:

protocols = imaps


which would disallow non-SSL connections entirely. Note that if you go this route of only allowing IMAPS, enabling LOGIN/PLAIN auth is perfectly safe, as it will take place over an SSL-enabled socket.

more info here: http://wiki.dovecot.org/Authentication
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
methodtwo
Apprentice
Apprentice


Joined: 01 Feb 2008
Posts: 231

PostPosted: Sun Jun 12, 2011 5:25 am    Post subject: Reply with quote

So a safe way to protect clients is to use the settings i've already got. However if i want to make it so that no client may log in unless i trust them, then i need to be my own CA or go to an "official CA" and issue certs to my clients?? Or use netfilter and settle for just offering IMAPS for internal clients
Thanks for your reply btw
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Jun 12, 2011 1:10 pm    Post subject: Reply with quote

client certs as opposed to username+pass basically eliminates the possibility of a brute-forced or otherwise compromised login granting anyone access (unless of course, the machine where the client cert exists gets owned, then all bets are off)
at the expense of a large amount of convenience, and you do have to show your users how to use a client cert, but it does remove that threat

http://wiki1.dovecot.org/SSL/DovecotConfiguration

under "Client certificate verification/authentication"
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum