Dovecot ssl

最後更新: 2017-05-08

介紹

  • TLS (Port 110/143)
  • Secure POP3 (SSL-POP) - Port 995
  • IMAP4 over SSL (IMAPS) - Port 993

目錄

Dovecot version 1.x
Dovecot version 2.x

 


Dovecot version 1.x

 

Setting

protocols = imap imaps pop3 pop3s

ssl_cert_file = /etc/postfix/smtpd.cert
ssl_key_file  = /etc/postfix/smtpd.key

成功的話, log 會見到:

imap-login: Login: user=<test@x.x>, method=PLAIN, rip=n.n.n.n, lip=m.m.m.m, TLS

 


Dovecot version 2.x

 

SSL Setting

# ssl = required
ssl = yes

verbose_ssl = no

# root:root 0444
ssl_cert = </etc/pki/tls/certs/dovecot.pem

# root:root 0400
ssl_key  = </etc/pki/tls/private/dovecot.key

dovecot 2 disable ssl

# 沒有這設定時就加上去

當 "protocols = pop3 imap" 時仍不可以 disable ssl

那可以試以下 setting

service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 0
  }
}

Client 要唔要 SSL Login

# Defualt: yes
# disable_plaintext_auth=yes AND ssl=required  => STARTTLS is mandatory
# disable_plaintext_auth=no AND ssl=yes          => allow plain password

disable_plaintext_auth = yes

# Allow plain text password per IP address/net

remote 192.168.0.0/24 {
   disable_plaintext_auth = no
}

output:

* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
. NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.