|These days it's best to force clients to use SSL encryption to authenticate with dovecot (imap/pop).|
Dovecot has a simple option for this:
ssl=requiredwhich you can add to a new file:
/etc/dovecot/conf.d/force_ssl.confand then restart dovecot:
service dovecot restart
Note: non-encrypted logins are still allowed on localhost addresses, in case you're confused why it's still allowing it.
To test, use a remote server, and test like this:
telnet 126.96.36.199 143and run command
01 LOGIN username passwordYou should see a message like this:
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
|Only allow smtp auth login if encryption is enabled|
© 2018 JBMC Software, Suite 173 3-11 Bellerose Drive, St Albert, AB T8N 1P7 Canada. Mon-Fri 9AM-5PM MST