> On 06/03/2026 18:52 EET Steve Litt via dovecot <[email protected]> wrote: > > > Aki Tuomi via dovecot said on Fri, 6 Mar 2026 11:58:56 +0200 (EET) > > >> On 06/03/2026 01:04 EET Steve Litt via dovecot <[email protected]> > >> wrote: > >> > >> > >> Hi all, > >> > >> https://doc.dovecot.org/2.4.2/core/summaries/settings.html , the > >> auth_allow_cleartext section, says "If no, disables the LOGIN command > >> and all other cleartext authentication unless SSL/TLS is used > >> (LOGINDISABLED capability) or the connection is secured (see ssl). > >> > >> See SSL configuration for more detailed explanation of how this > >> setting interacts with the ssl setting. > >> > >> This setting replaces the disable_plaintext_auth setting." > >> > >> I put auth_allow_cleartext = no in my 2.4.2 dovecot.conf, but my > >> Claws-Mail client can still access it, even though there are no key > >> files. I tried putting this setting in several different places: > >> Didn't prevent plain access. I tried switching from 127.0.0.1 to > >> 10.0.2.15, same problem. The following is the output of my dovecot > >> -n command: > > > >Hi, auth_allow_cleartext=no is the default setting. > > > >However, as > >https://doc.dovecot.org/2.4.2/core/config/ssl.html#secured-connections > >states, connections from login_trusted_networks or from the host > >listener itself (in your case 10.0.2.15) are considered trusted, so > >they are allowed to use plaintext login. > > > >So basically set ssl=required > > Thanks Aki, > > I've seen no documentation indicating *where* ssl=required should go, > and so had to experiment. If I go 2.3x style and put it within imaps: > > listen = 10.0.2.15 > auth_allow_cleartext = no > > # The IMAP service declarations > service imap { > #Plain text listener at port 143 > #inet_listener imap-login { > #port = 0 > #} > # SSL IMAP (imaps) is port 993 > inet_listener imaps { > #port = 993 > ssl = required > } > } > > With the preceding config, the following error occurs: > > [root@dovecotvoid dovecot]# dovecot -F > doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf > line 29: ssl: Invalid boolean value: required (use yes or no) > [root@dovecotvoid dovecot]# > > If I move the ssl=required right below auth_allow_cleartext = no, or > right below service imap { , then with or without ssl=yes inside > inet_listener imaps { , dovecot -F runs, but Dovecot's accessible > without SSL. > > Let me explain my goal and what I'm doing. My goal is to reject any > plain text, non-SSL queries from anyone anywhere, full stop. Basically, > what ssl=required inside inet_listener imaps gave us in 2.3x. I'm > using a Qemu VM guest to test 2.4.2 config before upgrading my real > machine. My immediate next step is to, before even dealing with SSL, to > prevent plain text access, regardless of localhost or non-localhost, > haproxy or non-haproxy, whatever. Once that's done, I'll begin enabling > SSL. For security's sake, I need to *prove* that plain text access > fails in all cases. > > So, how do I prevent plain text access, full stop? > > Thanks, > > SteveT > > Steve Litt >
ssl = required goes on top level, not inside anything. If you put it inside inet_listener it's actually https://doc.dovecot.org/2.4.2/core/config/service.html#inet_listener_ssl, so totally different setting. Aki _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
