Dovecot return different capabilities

Hi,

I have some test users that can no longer get their email.

When I telnet to the IMAP port, I get this correct response:

[code]Escape character is ‘^]’.

  • OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] XYZZY Dovecot ready.
    [/code]

When a test user tries (from outside the company network) they get:

[code]Escape character is ‘^]’.

  • OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] XYZZY Dovecot ready.
    [/code]
    Yet it used to work fine.

So, I try it from my home computer (off the local network)

[code]Escape character is ‘^]’.

  • OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] XYZZY Dovecot ready.
    [/code]
    Perfect.

Now I try it on the UCS Server itself

[code]Escape character is ‘^]’.

  • OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] XYZZY Dovecot ready.
    [/code]

So, STARTLS LOGINDISABLED is the correct response. Why is dovecot returning two different strings, and apparently it just started?

I have the Open-XChange package installed

Thanks,
Gerald

Hi,

I don’t know if there have been changes but as far as I can see we have the following in /etc/dovecot/conf.d/10-auth.conf:

[code]##

Authentication processes

Disable LOGIN command and all other plaintext authentications unless

SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP

matches the local IP (ie. you’re connecting from the same computer), the

connection is considered secure and plaintext authentication is allowed.

See also ssl=required setting.

disable_plaintext_auth = yes
[/code]

This is set by UCRV:

# ucr search mail/dovecot/auth/allowplaintext mail/dovecot/auth/allowplaintext: <empty> If this variable is set to "true", Dovecot allows authenticating with plain text passwords over unencrypted connections. Default is "no".

A connection from anywhere to Port 143 should show LOGINDISABLED when not using STARTTLS.
see Check that it’s allowing remote logins for test methods.

hth,
Dirk

Mastodon