> On 06/03/2026 01:04 EET Steve Litt via dovecot <[email protected]> wrote: > > > Hi all, > > https://doc.dovecot.org/2.4.2/core/summaries/settings.html , the > auth_allow_cleartext section, says "If no, disables the LOGIN command > and all other cleartext authentication unless SSL/TLS is used > (LOGINDISABLED capability) or the connection is secured (see ssl). > > See SSL configuration for more detailed explanation of how this setting > interacts with the ssl setting. > > This setting replaces the disable_plaintext_auth setting." > > I put auth_allow_cleartext = no in my 2.4.2 dovecot.conf, but my > Claws-Mail client can still access it, even though there are no key > files. I tried putting this setting in several different places: Didn't > prevent plain access. I tried switching from 127.0.0.1 to 10.0.2.15, > same problem. The following is the output of my dovecot -n command: >
Hi, auth_allow_cleartext=no is the default setting. However, as https://doc.dovecot.org/2.4.2/core/config/ssl.html#secured-connections states, connections from login_trusted_networks or from the host listener itself (in your case 10.0.2.15) are considered trusted, so they are allowed to use plaintext login. So basically set ssl=required Aki _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
