[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dovecot security

On Sun, Oct 17, 2010 at 05:56:40PM +0000, Camaleón wrote:
> On Sun, 17 Oct 2010 11:21:28 -0400, Rob Owens wrote:
> > 1)  It seems like cleartext communication is disabled by default, and
> > only TLS or SSL is allowed.  I can't find this in the docs or conf file,
> > though.  Can anybody confirm this is the case?
> Look, at their testing sample page there is a connection to IMAP 143 
> stantard port (no imaps/993):
> http://wiki2.dovecot.org/TestInstallation
> Also:
> Plaintext Authentication
> http://wiki2.dovecot.org/BasicConfiguration
Thanks for those links.  I had a quick look at my config files again,
and they seem to allow plaintext authentication (which I don't want).
However, Icedove gives me an error when I try to connect without TLS or
SSL.  This is good, but I want to make sure that it is dovecot that is
refusing to cooperate with plaintext connections.

> > 2)  There is a certificate used for secure communication w/ the server,
> > but I did not generate it myself.  Was it generated automatically for
> > me?  Or is it a default cert that I should replace with my own?
> Most e-mail services include their own (even auto-generated) SSL 
> certificates. You can use them (your clients will receive a security 
> alert about SSL certificate being invalid/not trusted which is the normal 
> behaviour) or you can replace them with real ones (Verisign, Thatwe, 
> etc...) validated certificates coming from a CA.
> _Both_ will secure your data, but with the "auto-signed-own-generated" 
> ones, you'll get a "cosmetic" error.
Thanks.  I just wanted to make sure that my auto-generated SSL cert was
in fact auto-generated, and not just a default cert that *everybody*
gets when they install dovecot.


Reply to: