Force StartTLS/SSL on IMAP AUTH

CorSch · Nov 19, 2016

Hi,

could you please set "disable_plaintext_auth" to "yes" as a default in the dovecot.conf file?
This option will force the usage of StartTLS instead of plantext for IMAP (TCP/143) Login.
http://wiki.dovecot.org/SSL

Best Regards,
Corvin

sjau · Nov 19, 2016

I tend to think this is a good suggestion

CorSch · Feb 4, 2017

After reading the dovecot SSL documentation at http://wiki.dovecot.org/SSL/DovecotConfiguration
I would recommend to add ssl=required instead of disable_plaintext_auth=yes.

The main difference between ssl=required and disable_plaintext_auth=yes is that if ssl=required, it guarantees that the entire connection is protected against eavesdropping (SSL/TLS encrypts the rest of the connection), while disable_plaintext_auth=yes only guarantees that the password is protected against eavesdropping (SASL mechanism is encrypted, but no SSL/TLS is necessarily used). Nowadays you most likely should be using SSL/TLS anyway for the entire connection, since the cost of SSL/TLS is cheap enough. Using both SSL/TLS and non-plaintext authentication would be the ideal situation since it protects the plaintext password even against man-in-the-middle attacks.
Click to expand...

elmacus · Jul 13, 2018

"ssl=required"
This would be "best practise", people who wants to run unsecure should need to disable security.

Log in or Sign up

Force StartTLS/SSL on IMAP AUTH

CorSch New Member

sjau Local Meanie Moderator

CorSch New Member

elmacus Active Member

Share This Page

Log in or Sign up

Force StartTLS/SSL on IMAP AUTH

CorSch New Member

sjau Local Meanie Moderator

CorSch New Member

elmacus Active Member

Share This Page

Useful Searches