Re: Question about verbose_proctitle

2018-07-13 Thread J Doe 

> On Jul 12, 2018, at 9:23 PM, Gedalya  wrote:
> 
> On 07/13/2018 08:45 AM, J Doe wrote:
>> I’m aware that this is because the code does not state to specify “TLS” for 
>> the dovecot/imap [u...@example.com  1.2.3.4 IDLE] 
>> line of output, but I’m curious as to why that decision was made ?
> 
> TLS is done by the imap-login process. This process does all the actual 
> talking to the client. The imap process blindly trusts whoever invoked it 
> (imap-login), it doesn't authenticate the user either. Timo didn't want any 
> crypto or authentication code, or to link against any such libraries in the 
> imap process itself.
> 
> Your imap-login process does show TLS and this can be logged in the log file 
> as well, see login_log_format_elements and the variables %c and %k

Hi Gedalya,

Ah, ok - that makes sense.

Thanks also for pointing me to the login_log_format_elements parameter - I will 
read up on this.

- J

Re: Question about verbose_proctitle

2018-07-12 Thread Gedalya 
On 07/13/2018 08:45 AM, J Doe wrote:
> I’m aware that this is because the code does not state to specify “TLS” for 
> the dovecot/imap [u...@example.com 1.2.3.4 IDLE] line of output, but I’m 
> curious as to why that decision was made ?

TLS is done by the imap-login process. This process does all the actual talking 
to the client. The imap process blindly trusts whoever invoked it (imap-login), 
it doesn't authenticate the user either. Timo didn't want any crypto or 
authentication code, or to link against any such libraries in the imap process 
itself.

Your imap-login process does show TLS and this can be logged in the log file as 
well, see login_log_format_elements and the variables %c and %k

Re: Question about verbose_proctitle

2018-07-12 Thread J Doe 


> On Jul 10, 2018, at 7:19 PM, J Doe  wrote:
> 
> Hello,
> 
> I have a question relating to the detail that the verbose_proctitle parameter 
> enables for ps.
> 
> I have TLS configured for IMAP as follows:
> 
>/etc/dovecot/dovecot.conf
>ssl = required
>ssl_cert = 
>ssl_key = 
> 
>protocols = imap lmtp
> 
>service imap-login {
># Disable insecure IMAP over TCP 143
>inet_listener imap {
>port=0
>}
>}
> 
>. . . 
> 
>verbose_proctitle = yes
> 
> If I have a single MUA connect (Apple Mail in this case), I see:
> 
>$ ps aux | grep -i dovevot
> 
>dovenull  5552  0.0  0.1  18820  5444 ?S18:53   0:00 
> dovecot/imap-login [1 connections (1 TLS)]
>vmail   5553  0.3  0.1  13612  4304 ?S18:53   0:00 
> dovecot/imap [u...@example.com 1.2.3.4 IDLE]
> 
> The first part makes sense to me - imap-login is showing the user being 
> connected via imap-login and with TLS.
> The second part, however, shows the IMAP session with the username, IP 
> address and IMAP command (IDLE),
> but it does not state TLS.
> 
> Does this mean that I have logins for IMAP connections protected by TLS but 
> the actual IMAP traffic (mail
> contents, etc.), is *NOT* configured to use TLS ?  That is to say, IMAP 
> traffic is flowing over port 993 without
> TLS ?
> 
> From the wiki [1] it appears to state that I only have to configure TLS 
> settings for IMAP if the IMAP protocol is
> being secured via a *DIFFERENT* TLS certificate.
> 
> Is this correct ?
> 
> Thanks, 
> 
> - J
> 
> Sources:
> 
>[1] https://wiki2.dovecot.org/SSL/DovecotConfiguration

Hi,

I was able to partially answer my question, today.

I used tcpdump to record the traffic between a single client computer and the 
server running Dovecot and can confirm that all of the IMAP traffic to and from 
the server was over TLS 1.2 with the configuration I mentioned (see previous 
e-mail above).  This still makes me wonder, though, why Dovecot does not 
specify “TLS” when I use ps:

/etc/dovecot/dovecot.conf
. . .
verbose_proctitle = yes
. . .

$ ps aux | grep -I dovevot

dovenull  5552  0.0  0.1  18820  5444 ?S18:53   0:00 
dovecot/imap-login [1 connections (1 TLS)]
vmail   5553  0.3  0.1  13612  4304 ?S18:53   0:00 
dovecot/imap [u...@example.com 1.2.3.4 IDLE]

I’m aware that this is because the code does not state to specify “TLS” for the 
dovecot/imap [u...@example.com 1.2.3.4 IDLE] line of output, but I’m curious as 
to why that decision was made ?

Thanks,

- J

Question about verbose_proctitle

2018-07-10 Thread J Doe 
Hello,

I have a question relating to the detail that the verbose_proctitle parameter 
enables for ps.

I have TLS configured for IMAP as follows:

/etc/dovecot/dovecot.conf
ssl = required
ssl_cert = 
ssl_key = 

protocols = imap lmtp

service imap-login {
# Disable insecure IMAP over TCP 143
inet_listener imap {
port=0
}
}

. . . 

verbose_proctitle = yes

If I have a single MUA connect (Apple Mail in this case), I see:

$ ps aux | grep -i dovevot

dovenull  5552  0.0  0.1  18820  5444 ?S18:53   0:00 
dovecot/imap-login [1 connections (1 TLS)]
vmail   5553  0.3  0.1  13612  4304 ?S18:53   0:00 
dovecot/imap [u...@example.com 1.2.3.4 IDLE]

The first part makes sense to me - imap-login is showing the user being 
connected via imap-login and with TLS.
The second part, however, shows the IMAP session with the username, IP address 
and IMAP command (IDLE),
but it does not state TLS.

Does this mean that I have logins for IMAP connections protected by TLS but the 
actual IMAP traffic (mail
contents, etc.), is *NOT* configured to use TLS ?  That is to say, IMAP traffic 
is flowing over port 993 without
TLS ?

From the wiki [1] it appears to state that I only have to configure TLS 
settings for IMAP if the IMAP protocol is
being secured via a *DIFFERENT* TLS certificate.

Is this correct ?

Thanks, 

- J

Sources:

[1] https://wiki2.dovecot.org/SSL/DovecotConfiguration