Op 13/01/2019 om 00:22 schreef Dominik Menke:
For reference: if you put ssl=yes there, the TLS layer is established
immediately. However, the standard ManageSieve protocol does not
support that (not currently anyway): only the establishment of the
TLS layer using the STARTTLS command is part of the standard. That is
why your clients fail to connect: they're speaking plaintext while
the server is speaking TLS. Still, Dovecot supports configuring it
that way, which is what you did.
Regards,
Stephan.
I'm just surprised that ssl=yes leads to STARTTLS being disabled, as
per the wiki [1]:
With ssl=yes, the TLS layer is enabled immediately on the connection.
So, there is no need to perform STARTTLS. But worse, a client that
doesn't work this way will try to send "STARTTLS" in plaintext to a
service talking TLS already. This will obviously not work.
Regards,
Stephan.
> ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the
> client, but the client isn't required to use it. [...]
>
> ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the
> client, but the client isn't required to use it. [...]
>
> ssl=required: SSL/TLS is always required [...]. Any attempt to
> authenticate before SSL/TLS is enabled will cause an authentication
> failure.
Maybe this bit needs to be clarified a bit? I think I've read that
page a few times and it still didn't occur to me that this could be a
problem.
Best regards,
--Dominik
[1]: https://wiki.dovecot.org/SSL/DovecotConfiguration