self-hosted/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-08-07 23:03:10 +02:00
Code Issues Releases Activity

chore: Dovecot: disable_plaintext_auth => auth_allow_cleartext

Browse Source 
Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
This commit is contained in:
Georg Lauterbach
2025-08-02 16:35:38 +02:00
parent 88799ac30a
commit a96d459c49
3 changed files with 7 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/content/config/security/ssl.md
View File

@ -791,7 +791,7 @@ Add this to `docker-data/dms/config/dovecot.cf`:
```cf ```cf
ssl = yes ssl = yes
disable_plaintext_auth=no auth_allow_cleartext = yes
``` ```
These options in conjunction mean: These options in conjunction mean:

4
target/dovecot/10-auth.conf
View File

@ -7,7 +7,7 @@
# matches the local IP (ie. you're connecting from the same computer), the # matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed. # connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting. # See also ssl=required setting.
#disable_plaintext_auth = yes #auth_allow_cleartext = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
@ -96,7 +96,7 @@
# Space separated list of wanted authentication mechanisms: # Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego # gss-spnego
# NOTE: See also disable_plaintext_auth setting. # NOTE: See also auth_allow_cleartext setting.
auth_mechanisms = plain login auth_mechanisms = plain login
## ##

16
target/scripts/helpers/ssl.sh
View File

@ -345,18 +345,10 @@ function _setup_ssl() {
-e '/smtpd_tls_auth_only/s|yes|no|' \ -e '/smtpd_tls_auth_only/s|yes|no|' \
"${POSTFIX_CONFIG_MASTER}" "${POSTFIX_CONFIG_MASTER}"
# Dovecot configuration: # ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext
# https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/ sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 no|" /etc/dovecot/conf.d/10-auth.conf
# > The plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they’re assumed to be secure anyway. # ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl
# > This applies to all connections where the local and the remote IP addresses are equal. sed -i -r "s|^(ssl =).*|\1 no|" "${DOVECOT_CONFIG_SSL}"
# > Also IP ranges specified by login_trusted_networks setting are assumed to be secure.
#
# no => insecure auth allowed, yes (default) => plaintext auth only allowed over a secure connection (insecure connection acceptable for non-plaintext auth)
local DISABLE_PLAINTEXT_AUTH='no'
# no => disabled, yes => optional (secure connections not required), required (default) => mandatory (only secure connections allowed)
local DOVECOT_SSL_ENABLED='no'
sed -i -r "s|^#?(disable_plaintext_auth =).*|\1 ${DISABLE_PLAINTEXT_AUTH}|" /etc/dovecot/conf.d/10-auth.conf
sed -i -r "s|^(ssl =).*|\1 ${DOVECOT_SSL_ENABLED}|" "${DOVECOT_CONFIG_SSL}"
;; ;;
( 'snakeoil' ) # This is a temporary workaround for testing only, using the insecure snakeoil cert. ( 'snakeoil' ) # This is a temporary workaround for testing only, using the insecure snakeoil cert.