# mutt with dovecot imaps questions

## methodtwo

Hi

I can connect from my mutt client box to my dovecot server after mkcert.sh has been run and the cert and key are in the correct location(according to dovecot config file) and "enable_plaintext_authentciation = no" is also in the dovecot.conf. Does this mean that user authentication is being performed by SSL or just that SSL is protecting an interior protocol that performs it's own authentication?.

If i run:

```
#openssl s_client -quiet -connect my_dovecot_server.domain:993
```

I get this in reponse:

```
verify return:1

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
```

What confused me was that i read somewhere that in an imaps connection that the client sent the server a public key. I can connect from the mutt client host by typing my password. But, like i said before, is proper SSL authentication happening?. To get proper encrypted authentication and sessions do you have to be your own CA(and give the client host a cert) or go to an official CA etc or does the response i received and the fact that i can connect when enable_plaintext_authentication = no, indicate that I've already got these things? Or just one of them(authentication)?. I will post my configs if necessary.

Thank you very much for shedding some light on the subject

----------

## cach0rr0

AFAIK, that setting is actually backwards

it should be:

```

disable_plaintext_auth = yes

```

what that does is this: if you are connecting via IMAPS (993), you can use AUTH=LOGIN,AUTH=PLAIN,CRAM-MD5,DIGEST-MD5, or anything else (I forget the other secure login types)

but if you are connecting over standard IMAP, setting disable_plaintext_auth will mean that you have to use CRAM-MD5 or some other type of secure login, and cannot use AUTH=LOGIN or AUTH=PLAIN. 

That doesn't control SSL/non-SSL, that setting controls what auth types you allow over non-SSL connections. 

if you only want to allow connections over SSL-enabled sockets, you'd want to adjust the protocols setting like so:

```

protocols = imaps

```

which would disallow non-SSL connections entirely. Note that if you go this route of only allowing IMAPS, enabling LOGIN/PLAIN auth is perfectly safe, as it will take place over an SSL-enabled socket. 

more info here: http://wiki.dovecot.org/Authentication

----------

## methodtwo

So a safe way to protect clients is to use the settings i've already got. However if i want to make it so that no client may log in unless i trust them, then i need to be my own CA or go to an "official CA" and issue certs to my clients?? Or use netfilter and settle for just offering IMAPS for internal clients

Thanks for your reply btw

----------

## cach0rr0

client certs as opposed to username+pass basically eliminates the possibility of a brute-forced or otherwise compromised login granting anyone access (unless of course, the machine where the client cert exists gets owned, then all bets are off)

at the expense of a large amount of convenience, and you do have to show your users how to use a client cert, but it does remove that threat 

http://wiki1.dovecot.org/SSL/DovecotConfiguration

under "Client certificate verification/authentication"

----------

