From a96d459c496406f1c35a7fa18538b86f54fda529 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Sat, 2 Aug 2025 16:35:38 +0200 Subject: [PATCH] chore: Dovecot: disable_plaintext_auth => auth_allow_cleartext Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> --- docs/content/config/security/ssl.md | 2 +- target/dovecot/10-auth.conf | 4 ++-- target/scripts/helpers/ssl.sh | 16 ++++------------ 3 files changed, 7 insertions(+), 15 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 853ab446..c01657fa 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -791,7 +791,7 @@ Add this to `docker-data/dms/config/dovecot.cf`: ```cf ssl = yes -disable_plaintext_auth=no +auth_allow_cleartext = yes ``` These options in conjunction mean: diff --git a/target/dovecot/10-auth.conf b/target/dovecot/10-auth.conf index 260832fb..d6fade19 100644 --- a/target/dovecot/10-auth.conf +++ b/target/dovecot/10-auth.conf @@ -7,7 +7,7 @@ # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. -#disable_plaintext_auth = yes +#auth_allow_cleartext = yes # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. @@ -96,7 +96,7 @@ # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego -# NOTE: See also disable_plaintext_auth setting. +# NOTE: See also auth_allow_cleartext setting. auth_mechanisms = plain login ## diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh index 6a7610ad..4c98a601 100644 --- a/target/scripts/helpers/ssl.sh +++ b/target/scripts/helpers/ssl.sh @@ -345,18 +345,10 @@ function _setup_ssl() { -e '/smtpd_tls_auth_only/s|yes|no|' \ "${POSTFIX_CONFIG_MASTER}" - # Dovecot configuration: - # https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/ - # > The plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they’re assumed to be secure anyway. - # > This applies to all connections where the local and the remote IP addresses are equal. - # > Also IP ranges specified by login_trusted_networks setting are assumed to be secure. - # - # no => insecure auth allowed, yes (default) => plaintext auth only allowed over a secure connection (insecure connection acceptable for non-plaintext auth) - local DISABLE_PLAINTEXT_AUTH='no' - # no => disabled, yes => optional (secure connections not required), required (default) => mandatory (only secure connections allowed) - local DOVECOT_SSL_ENABLED='no' - sed -i -r "s|^#?(disable_plaintext_auth =).*|\1 ${DISABLE_PLAINTEXT_AUTH}|" /etc/dovecot/conf.d/10-auth.conf - sed -i -r "s|^(ssl =).*|\1 ${DOVECOT_SSL_ENABLED}|" "${DOVECOT_CONFIG_SSL}" + # ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext + sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 no|" /etc/dovecot/conf.d/10-auth.conf + # ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl + sed -i -r "s|^(ssl =).*|\1 no|" "${DOVECOT_CONFIG_SSL}" ;; ( 'snakeoil' ) # This is a temporary workaround for testing only, using the insecure snakeoil cert.