Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
On 11:59 AM, John Espiro wrote: > After reading this: http://wiki2.dovecot.org/Authentication/Mechanisms > It seems that PLAIN is OK, if I am using STARTTLS, which I believe I > am. I mean, I've set it up, and it _seems_ to work. > So the question I have, to the list, is... how can I verify that the > passwords are being sent over STARTTLS. Your client is ultimately logging in after STARTTLS because Dovecot is not allowing it to login before, but it apparently is trying and possibly sending a cleartext password or there would be no 'disconnected' log message. Sniff the port 110 packets during a login from your client and see what's going on. One other thought - Is there more than one account on this server configured in your client and if so, are they all using STARTTLS? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
After reading this: http://wiki2.dovecot.org/Authentication/Mechanisms It seems that PLAIN is OK, if I am using STARTTLS, which I believe I am. I mean, I've set it up, and it _seems_ to work. So the question I have, to the list, is... how can I verify that the passwords are being sent over STARTTLS. Quoting: The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening on the network can steal the password. For that reason (and some others) other mechanisms were implemented. Today however many people use SSL/TLS, and there's no problem with sending unencrypted password inside SSL secured connections. So if you're using SSL, you probably don't need to bother worrying about anything else than the PLAIN mechanism. On 1/28/2011 2:48 AM, Mark Sapiro wrote: > O > > So you successfully get mail via your pop client in spite of the above. > > My guess is somehow the client first tries plain authentication without > STARTTLS before trying STARTTLS. > > In my case with pop3 and T'bird I use > > Port 995 > Connection security: SSL/TLS > Authentication: Normal password > > I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway). >
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
Yep - despite the above, I still get mail. And from my conf files, plain auth is disabled. Should I re-port my conf file in case I missed something? John On 1/28/2011 2:48 AM, Mark Sapiro wrote: > > So you successfully get mail via your pop client in spite of the above. > > My guess is somehow the client first tries plain authentication without > STARTTLS before trying STARTTLS. > > In my case with pop3 and T'bird I use > > Port 995 > Connection security: SSL/TLS > Authentication: Normal password > > I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway). >
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
On Thu, 27 Jan 2011 17:48:13 -0800 Mark Sapiro articulated: > On 11:59 AM, John Espiro wrote: > > > > On 1/27/2011 7:56 PM, Mark Sapiro wrote: > >> Are you able to get your mail via your pop client? > > Yes. > >> If so, the log messages are from other attempts (probably by > >> crackers trying to guess passwords on your system) to log in. Is > >> there a "rip=" in the log messages giving the IP of the > >> originator? If so, is it yours? > > There is a "rip" and it's my IP address. I've got fail2ban and > > denyhosts running very tightly, and so far, no one has even > > attempted to log in to my mail accounts (ssh is a whole other > > story :) > > > So you successfully get mail via your pop client in spite of the > above. > > My guess is somehow the client first tries plain authentication > without STARTTLS before trying STARTTLS. > > In my case with pop3 and T'bird I use > > Port 995 > Connection security: SSL/TLS > Authentication: Normal password > > I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway). I honestly don't know why you would use port 995 as opposed to 110 if employing STARTTLS. Switch to port 110, I don't know if a restart is required, and try again. -- Jerry ✌ dovecot.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Fortune favors the lucky.
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
On 11:59 AM, John Espiro wrote: > > On 1/27/2011 7:56 PM, Mark Sapiro wrote: >> Are you able to get your mail via your pop client? > Yes. >> If so, the log messages are from other attempts (probably by crackers >> trying to guess passwords on your system) to log in. Is there a "rip=" >> in the log messages giving the IP of the originator? If so, is it yours? > There is a "rip" and it's my IP address. I've got fail2ban and > denyhosts running very tightly, and so far, no one has even attempted to > log in to my mail accounts (ssh is a whole other story :) So you successfully get mail via your pop client in spite of the above. My guess is somehow the client first tries plain authentication without STARTTLS before trying STARTTLS. In my case with pop3 and T'bird I use Port 995 Connection security: SSL/TLS Authentication: Normal password I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway). -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
On 1/27/2011 7:56 PM, Mark Sapiro wrote: > Are you able to get your mail via your pop client? Yes. > If so, the log messages are from other attempts (probably by crackers > trying to guess passwords on your system) to log in. Is there a "rip=" > in the log messages giving the IP of the originator? If so, is it yours? There is a "rip" and it's my IP address. I've got fail2ban and denyhosts running very tightly, and so far, no one has even attempted to log in to my mail accounts (ssh is a whole other story :)
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
On 11:59 AM, John Espiro wrote: > I set the auth to SSL and STARTTLS. I also set disable_plaintext_auth > to both yes and no, and the result is the same... it uses pop3/plain. > I viewed the running process to see which of the 4 conf files it was > using, so I know i have the right file. > > Thoughts? Are you able to get your mail via your pop client? If so, the log messages are from other attempts (probably by crackers trying to guess passwords on your system) to log in. Is there a "rip=" in the log messages giving the IP of the originator? If so, is it yours? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
I set the auth to SSL and STARTTLS. I also set disable_plaintext_auth to both yes and no, and the result is the same... it uses pop3/plain. I viewed the running process to see which of the 4 conf files it was using, so I know i have the right file. Thoughts? On 1/27/2011 6:03 PM, Paul Griffith wrote: > > What if you change STARTTTLS to SSL ? > > Did you try setting disable_plaintext_auth = no ? > > >> >> On 1/27/2011 2:28 PM, Paul Griffith wrote: >>> >>> This looks like you are trying to connect to pop3 without SSL or TLS. >>> If you really want to allow plaintext over a non-secure connection >>> then you need to use the following. >>> >>> disable_plaintext_auth = no >>> >>> Paul > > > >
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
OK... so one thing is that I see 4 dovecot.conf files: /usr/share/dovecot/dovecot.conf /etc/dovecot/dovecot.conf /etc/init/dovecot.conf /var/run/dovecot/dovecot.conf It's not altogether clear which one is being used by the service... why would there be four of them? John On 1/27/2011 6:03 PM, Paul Griffith wrote: > On 01/27/11 09:42 AM, John Espiro wrote: >> Hi Paul - >> >> Well, I want to use STARTTLS... my Thunderbird settings are: >> >> In thunderbird, I have the following settings: >> Port 110 >> Username: >> Connection security: STARTTLS >> Authentication: Normal password >> >> Which should be correct, right? >> >> John > > What if you change STARTTTLS to SSL ? > > Did you try setting disable_plaintext_auth = no ? > > >> >> On 1/27/2011 2:28 PM, Paul Griffith wrote: >>> >>> This looks like you are trying to connect to pop3 without SSL or TLS. >>> If you really want to allow plaintext over a non-secure connection >>> then you need to use the following. >>> >>> disable_plaintext_auth = no >>> >>> Paul > > > >
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
Still shows the same, pop3/plain. I will disable plaintext and see what happens... On 1/27/2011 6:03 PM, Paul Griffith wrote: > > What if you change STARTTTLS to SSL ? > > Did you try setting disable_plaintext_auth = no ? >
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
On 01/27/11 09:42 AM, John Espiro wrote: Hi Paul - Well, I want to use STARTTLS... my Thunderbird settings are: In thunderbird, I have the following settings: Port 110 Username: Connection security: STARTTLS Authentication: Normal password Which should be correct, right? John What if you change STARTTTLS to SSL ? Did you try setting disable_plaintext_auth = no ? On 1/27/2011 2:28 PM, Paul Griffith wrote: This looks like you are trying to connect to pop3 without SSL or TLS. If you really want to allow plaintext over a non-secure connection then you need to use the following. disable_plaintext_auth = no Paul
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
Hi Paul - Well, I want to use STARTTLS... my Thunderbird settings are: In thunderbird, I have the following settings: Port 110 Username: Connection security: STARTTLS Authentication: Normal password Which should be correct, right? John On 1/27/2011 2:28 PM, Paul Griffith wrote: > > This looks like you are trying to connect to pop3 without SSL or TLS. > If you really want to allow plaintext over a non-secure connection > then you need to use the following. > > disable_plaintext_auth = no > > Paul > > >
Re: [Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
On 01/27/11 05:57 AM, John Espiro wrote: First, my problem. Settings are below that... Everything works fine - I can login to webmail (users are tied to LDAP). I can send and receive email via my Thunderbird Client. However in my mail.err log I see lots of messages that say: dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN 1.) What does that mean, and how can I solve it? This looks like you are trying to connect to pop3 without SSL or TLS. If you really want to allow plaintext over a non-secure connection then you need to use the following. disable_plaintext_auth = no Paul
[Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
First, my problem. Settings are below that...
Everything works fine - I can login to webmail (users are tied to
LDAP). I can send and receive email via my Thunderbird Client.
However in my mail.err log I see lots of messages that say:
dovecot: pop3-login: Disconnected (tried to use disabled plaintext
auth): method=PLAIN
1.) What does that mean, and how can I solve it?
2.) With regards to pop3s I am not altogether sure that I am using the
right config in my dovecot.conf file (also below). Can someone let me know?
Version:
==
dovecot --version = 1.2.12
System:
==
Ubuntu Server 10.10 (64bit)
dovecot -n
==
# 1.2.12: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.35.4-rscloud x86_64 Ubuntu 10.10
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: pop3 pop3s imap imaps
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_privileged_group: mail
mail_location: mbox:~/mail:INBOX=/var/mail/%u
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
auth default:
passdb:
driver: pam
userdb:
driver: passwd
Dovecot.conf
==
egrep -v "^[[:space:]]*#|^$" /etc/dovecot/dovecot.conf
protocols = pop3 pop3s imap imaps
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl = yes
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
login_dir = /var/run/dovecot/login
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
protocol imap {
login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/imap
}
protocol pop3 {
login_executable = /usr/lib/dovecot/pop3-login
mail_executable = /usr/lib/dovecot/pop3
pop3_uidl_format = %08Xu%08Xv
}
protocol managesieve {
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
!include_try /etc/dovecot/auth.d/*.auth
}
dict {
}
plugin {
}
!include_try /etc/dovecot/conf.d/*.conf
