Re: Localhost Dovecot server without ssl?

Mon, 23 Feb 2026 05:10:32 -0800 


On 21/02/2026 17:39, Steve Litt via dovecot wrote:

Hi all,
...

For the time being, I don't need to access my Dovecot IMAP from any
computer except my DDD, and therefore, I can serve Dovecot IMAP on
127.0.0.1.

So here's my question. Assuming (and I know this is a big assumption)
I'm not worried about somebody gaining physical possession of my DDD,
is there any reason not to use plain text to access this server?

Thanks,

SteveT

Steve Litt
http://444domains.com
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]


Hi Steve


I am assuming that by "use plain text" you mean that you will use an 
unencrypted connection over 127.0.0.1 port 143 rather than you're 
intending to authenticate by plain text.



In general I do encrypt connections over localhost where possible, but 
it's just to be on the safe side. Having said that I think I have some 
things which are not encrypted, like the comunication between amavis and 
postfix, so I have accepted whatever risk there is in having unencrypted 
connnections in some cases.



If your DDD is connected to the network as I understood, then the risk 
is that someone will gain unauthorized access to it and will be able to 
access traffic over the loopback interface, even if the level of access 
they gained wasn't sufficient to access the email files. Of course if 
this potential attacker gained sufficient access, they could just read 
the files without having to sniff loopback traffic.



I suppose it boils down to how sure you are that your DDD is protected 
from unauthorized access and that encrypting the loopback traffic does 
mitigate something but does not help in all cases of unauthorized access.



Having said that I have seen cases of unauthorized access from the 
internet to what was supposed to be a PC exposed only on the internal 
network. This happened due to an ipv6 address which was not properly 
firewalled and was therefore visible externally. However, in the case I 
saw, the PC was totally compromised and encrypting loopback traffic 
would not have mitigated anything.


John


_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to