@@ -52,6 +52,21 @@ ManageSieve protocol support in Dovecot is to add `sieve` to the
5252
5353The managesieve daemon will listen on port 4190 by default.
5454
55+ ### TLS Configuration
56+
57+ The ManageSieve network protocol can be used either:
58+
59+ 1 . unencrypted
60+ 2 . encrypted with opportunistic TLS (STARTTLS)
61+ 3 . encrypted with implicit TLS
62+
63+ Implicit TLS is the best practice because STARTTLS can be susceptible
64+ to downgrade attacks. To enable this, set ` ssl = yes ` in the
65+ "inet_listener" section.
66+
67+ There is no official port for the implicit TLS case, so 4191 is used
68+ somewhat arbitrarily.
69+
5570### Settings
5671
5772As the implementation of the managesieve daemon is largely based on the
@@ -97,7 +112,8 @@ are shown.
97112...
98113service managesieve-login {
99114 #inet_listener sieve {
100- # port = 4190
115+ # port = 4191
116+ # ssl = yes
101117 #}
102118
103119 #inet_listener sieve_deprecated {
@@ -210,9 +226,9 @@ the direct error messages from the server without intermission of your
210226client.
211227
212228If you do not use TLS, you can connect using a simple ` telnet `
213- or ` netcat ` connection to the configured port (typically 4190 or 2000
214- for older setups). Otherwise you must use a TLS-capable text protocol
215- client like ` gnutls-cli ` as described below.
229+ or ` netcat ` connection to the configured port (typically 4190).
230+ Otherwise you must use a TLS-capable text protocol client like ` openssl `
231+ or ` gnutls-cli ` as described below.
216232
217233Upon connection, the server presents the initial greeting with its
218234capabilities:
@@ -226,12 +242,13 @@ OK "Dovecot ready."
226242```
227243
228244Note that the reported ` STARTTLS ` capability means that the server
229- accepts TLS, but, since you are using telnet/netcat, you cannot use this
230- (refer to Manual TLS Login below). The ` SASL ` capability lists the
245+ accepts opportunistic TLS, but, since you are using telnet/netcat, you cannot use this
246+ (refer to Manual Opportunistic TLS Login below). The ` SASL ` capability lists the
231247available SASL authentication mechanisms. If this list is empty and
232248` STARTTLS ` is available, it probably means that the server forces you
233- to initiate TLS first (as dictated by [[ setting,auth_allow_cleartext,yes]]
234- in ` dovecot.conf ` ).
249+ to initiate STARTTLS first (as dictated by [[ setting,auth_allow_cleartext,yes]]
250+ in ` dovecot.conf ` ). Note: if you're connecting from the same computer, the
251+ connection is considered secure and plaintext authentication is allowed!
235252
236253Now you need to log in. Although potentially multiple SASL mechanisms
237254are available, only ` PLAIN ` is described here. Authentication is
@@ -246,7 +263,7 @@ The credentials are the base64-encoded version of the string
246263` "\0<username>\0<password" ` (in which ` \0 ` represents the ASCII NUL
247264character). Generating this is cumbersome and a bit daunting for the
248265novice user, so for convenience a
249- [ simple Perl script] ( http ://pigeonhole.dovecot.org/utilities/sieve-auth-command.pl)
266+ [ simple Perl script] ( https ://pigeonhole.dovecot.org/utilities/sieve-auth-command.pl)
250267is provided to generate the ` AUTHENTICATE ` command for you. It is used
251268as follows:
252269
@@ -315,11 +332,21 @@ The symbolic link configured with the `sieve` setting should now point
315332to the activated script in the sieve directory. If no script is
316333active, this symbolic link is absent.
317334
318- #### Manual TLS Login
335+ #### Manual Implicit TLS Login
336+ ----------------
337+
338+ If you have enabled implicit TLS, you can use, for example, ` openssl `
339+ to connect:
340+
341+ ```
342+ openssl s_client -quiet -connect <host>:4191
343+ ```
344+
345+ #### Manual Opportunistic TLS Login
319346----------------
320347
321- When TLS needs to be used during manual testing, ` gnutls-cli ` provides
322- the means to do so. This command-line utility is part of the GNUTLS
348+ When opportunistic TLS needs to be used during manual testing, ` gnutls-cli `
349+ provides the means to do so. This command-line utility is part of the GNUTLS
323350distribution and on most systems this should be easy to install. It is
324351used to connect to ManageSieve as follows:
325352
0 commit comments