Skip to content

Commit 04e37f3

Browse files
committed
Improved managesieve docs with regards to TLS
1 parent 2b97ab9 commit 04e37f3

1 file changed

Lines changed: 39 additions & 12 deletions

File tree

docs/core/config/sieve/managesieve.md

Lines changed: 39 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,21 @@ ManageSieve protocol support in Dovecot is to add `sieve` to the
5252

5353
The managesieve daemon will listen on port 4190 by default.
5454

55+
### TLS Configuration
56+
57+
The ManageSieve network protocol can be used either:
58+
59+
1. unencrypted
60+
2. encrypted with opportunistic TLS (STARTTLS)
61+
3. encrypted with implicit TLS
62+
63+
Implicit TLS is the best practice because STARTTLS can be susceptible
64+
to downgrade attacks. To enable this, set `ssl = yes` in the
65+
"inet_listener" section.
66+
67+
There is no official port for the implicit TLS case, so 4191 is used
68+
somewhat arbitrarily.
69+
5570
### Settings
5671

5772
As the implementation of the managesieve daemon is largely based on the
@@ -97,7 +112,8 @@ are shown.
97112
...
98113
service managesieve-login {
99114
#inet_listener sieve {
100-
# port = 4190
115+
# port = 4191
116+
# ssl = yes
101117
#}
102118
103119
#inet_listener sieve_deprecated {
@@ -210,9 +226,9 @@ the direct error messages from the server without intermission of your
210226
client.
211227

212228
If you do not use TLS, you can connect using a simple `telnet`
213-
or `netcat` connection to the configured port (typically 4190 or 2000
214-
for older setups). Otherwise you must use a TLS-capable text protocol
215-
client like `gnutls-cli` as described below.
229+
or `netcat` connection to the configured port (typically 4190).
230+
Otherwise you must use a TLS-capable text protocol client like `openssl`
231+
or `gnutls-cli` as described below.
216232

217233
Upon connection, the server presents the initial greeting with its
218234
capabilities:
@@ -226,12 +242,13 @@ OK "Dovecot ready."
226242
```
227243

228244
Note that the reported `STARTTLS` capability means that the server
229-
accepts TLS, but, since you are using telnet/netcat, you cannot use this
230-
(refer to Manual TLS Login below). The `SASL` capability lists the
245+
accepts opportunistic TLS, but, since you are using telnet/netcat, you cannot use this
246+
(refer to Manual Opportunistic TLS Login below). The `SASL` capability lists the
231247
available SASL authentication mechanisms. If this list is empty and
232248
`STARTTLS` is available, it probably means that the server forces you
233-
to initiate TLS first (as dictated by [[setting,auth_allow_cleartext,yes]]
234-
in `dovecot.conf`).
249+
to initiate STARTTLS first (as dictated by [[setting,auth_allow_cleartext,yes]]
250+
in `dovecot.conf`). Note: if you're connecting from the same computer, the
251+
connection is considered secure and plaintext authentication is allowed!
235252

236253
Now you need to log in. Although potentially multiple SASL mechanisms
237254
are available, only `PLAIN` is described here. Authentication is
@@ -246,7 +263,7 @@ The credentials are the base64-encoded version of the string
246263
`"\0<username>\0<password"` (in which `\0` represents the ASCII NUL
247264
character). Generating this is cumbersome and a bit daunting for the
248265
novice user, so for convenience a
249-
[simple Perl script](http://pigeonhole.dovecot.org/utilities/sieve-auth-command.pl)
266+
[simple Perl script](https://pigeonhole.dovecot.org/utilities/sieve-auth-command.pl)
250267
is provided to generate the `AUTHENTICATE` command for you. It is used
251268
as follows:
252269

@@ -315,11 +332,21 @@ The symbolic link configured with the `sieve` setting should now point
315332
to the activated script in the sieve directory. If no script is
316333
active, this symbolic link is absent.
317334

318-
#### Manual TLS Login
335+
#### Manual Implicit TLS Login
336+
----------------
337+
338+
If you have enabled implicit TLS, you can use, for example, `openssl`
339+
to connect:
340+
341+
```
342+
openssl s_client -quiet -connect <host>:4191
343+
```
344+
345+
#### Manual Opportunistic TLS Login
319346
----------------
320347

321-
When TLS needs to be used during manual testing, `gnutls-cli` provides
322-
the means to do so. This command-line utility is part of the GNUTLS
348+
When opportunistic TLS needs to be used during manual testing, `gnutls-cli`
349+
provides the means to do so. This command-line utility is part of the GNUTLS
323350
distribution and on most systems this should be easy to install. It is
324351
used to connect to ManageSieve as follows:
325352

0 commit comments

Comments
 (0)