I'm using Dovecot 2.1.15. I need to require encryption and only secure
auth on public addresses, but allow plaintext auth over an unencrypted
connection on localhost.
I have so far (excerpts from `doveconf -a`):
auth_mechanisms = cram-md5 plain
disable_plaintext_auth = yes
listen =
service imap-login {
inet_listener imap-local {
address = ::1
port = 143
ssl = no
}
inet_listener imap-pub {
address = 2001:db8::1
port = 993
ssl = yes
}
}
service managesieve-login {
inet_listener sieve-local {
address = ::1
port = 4190
ssl = no
}
inet_listener sieve-pub {
address = 2001:db8::1
port = 4190
ssl = no
}
}
The ssl option only seems to switch the inet_listener between using a
secure socket and using STARTTLS. How do I tell a given inet_listener
to do neither? How do I tell a given inet_listener to require STARTTLS
before allowing AUTH/SASL?
I would prefer to offer only CRAM-MD5 on the UGA/public ports, and only
PLAIN or at least also PLAIN on localhost. I tried adding
auth_mechanisms lines to each inet_listener block, but got parse errors.
How do I do this?
Dovecot seems to ignore disable_plaintext_auth = yes:
# telnet 2001:db8::1 4190
Trying 2001:db8::1...
Connected to host.example.com.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" "CRAM-MD5 PLAIN"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."
--
Please reply on list.
