Force SSL encryption with Dovecot for IMAPS/POPS


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » Email » Dovecot

Force SSL encryption with Dovecot for IMAPS/POPSLast Modified: Nov 29, 2018, 3:40 pm
These days it's best to force clients to use SSL encryption to authenticate with dovecot (imap/pop).
Dovecot has a simple option for this:

ssl=required

which you can add to a new file:

/etc/dovecot/conf.d/force_ssl.conf

and then restart dovecot:

service dovecot restart


Note: non-encrypted logins are still allowed on localhost addresses, in case you're confused why it's still allowing it.


To test, use a remote server, and test like this:
IP
Username
Password

telnet 1.2.3.4 143

and run command

01 LOGIN username password

You should see a message like this:

* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
01 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

If you're still connected, you can logout/close the telnet connection with:

02 LOGOUT

 
Related Helpfiles
Only allow smtp auth login if encryption is enabled

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST