On Thu, 2009-01-15 at 10:26 +0100, Durk Strooisma wrote: > Hi all, > > Is there a way to enforce STARTTLS for all connections, regardless their > authentication mechanism? disable_plaintext_auth only takes care of the auth > conversation, but I would like to have all communication encrypted. > > As far as I can see, this would only be possible when using imaps and > disabling imap. However, I would like to have the other way around; > disabling imaps and using imap for all communication (with enforced > STARTTLS). > Am I missing something?
Not possible currently.
Hmm. I don't want to add a new setting for this, but some existing one
could be updated/replaced.. Perhaps ssl_disable=required? Although that
sounds weird. Maybe deprecate that setting and have ssl=yes/no/required.
Anyway you could modify the sources pretty easily to do this. In
src/imap-login/client-authenticate.c function cmd_authenticate() add
before mech_name line something like:
if (!client->common.secured && disable_plaintext_auth) {
if (verbose_auth) {
client_syslog(&client->common, "Login failed: "
"STARTTLS not enabled");
}
client->common.auth_attempts++;
client_send_line(client, "* NO [ALERT] STARTTLS requires");
client_send_tagline(client, "NO STARTTLS required");
return 1;
}
signature.asc
Description: This is a digitally signed message part
