Re: dovecot security
On Sun, Oct 17, 2010 at 05:56:40PM +0000, Camaleón wrote:
> On Sun, 17 Oct 2010 11:21:28 -0400, Rob Owens wrote:
>
> > 1) It seems like cleartext communication is disabled by default, and
> > only TLS or SSL is allowed. I can't find this in the docs or conf file,
> > though. Can anybody confirm this is the case?
>
> Look, at their testing sample page there is a connection to IMAP 143
> stantard port (no imaps/993):
>
> http://wiki2.dovecot.org/TestInstallation
>
> Also:
>
> Plaintext Authentication
> http://wiki2.dovecot.org/BasicConfiguration
>
Thanks for those links. I had a quick look at my config files again,
and they seem to allow plaintext authentication (which I don't want).
However, Icedove gives me an error when I try to connect without TLS or
SSL. This is good, but I want to make sure that it is dovecot that is
refusing to cooperate with plaintext connections.
> > 2) There is a certificate used for secure communication w/ the server,
> > but I did not generate it myself. Was it generated automatically for
> > me? Or is it a default cert that I should replace with my own?
>
> Most e-mail services include their own (even auto-generated) SSL
> certificates. You can use them (your clients will receive a security
> alert about SSL certificate being invalid/not trusted which is the normal
> behaviour) or you can replace them with real ones (Verisign, Thatwe,
> etc...) validated certificates coming from a CA.
>
> _Both_ will secure your data, but with the "auto-signed-own-generated"
> ones, you'll get a "cosmetic" error.
>
Thanks. I just wanted to make sure that my auto-generated SSL cert was
in fact auto-generated, and not just a default cert that *everybody*
gets when they install dovecot.
-Rob
Reply to: