最後更新: 2017-05-08

介紹

Start TLS Port: 110/143

pop3s: Secure POP3 (SSL-POP) - Port 995

imaps: IMAP4 over SSL (IMAPS) - Port 993

目錄

• Dovecot version 1.x
• Dovecot version 2.x

Dovecot version 1.x

Setting

protocols = imap imaps pop3 pop3s

ssl_cert_file = /etc/postfix/smtpd.cert
ssl_key_file  = /etc/postfix/smtpd.key

成功的話, log 會見到:

imap-login: Login: user=<[email protected]>, method=PLAIN, rip=n.n.n.n, lip=m.m.m.m, TLS

Dovecot version 2.x

SSL Setting

# ssl = required
ssl = yes

# for debug
verbose_ssl = no

# root:root 0444
ssl_cert = </etc/pki/tls/certs/dovecot.pem

# root:root 0400
ssl_key  = </etc/pki/tls/private/dovecot.key

# Dovecot v2.1.17
ssl_protocols = !SSLv2 !SSLv3 !TLSv1

dovecot 2 disable ssl

# 沒有這設定時就加上去

當 "protocols = pop3 imap" 時仍不可以 disable ssl

那可以試以下 setting

service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 0
  }
}

Client 要唔要 SSL Login

# Defualt: yes
# disable_plaintext_auth=yes AND ssl=required  => STARTTLS is mandatory
# disable_plaintext_auth=no AND ssl=yes          => allow plain password

disable_plaintext_auth = yes

# Allow plain text password per IP address/net

remote 192.168.0.0/24 {
   disable_plaintext_auth = no
   ssl = yes
}

Output:

* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
. NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.