# mutt and dovecot config questions



## maudib (Jun 10, 2011)

Hi
I have this in my /usr/local/etc/dovecot.conf:

```
base_dir = /var/run/dovecot/
protocols = imap imaps pop3 pop3s
listen = *
disable_plaintext_auth = no
shutdown_clients = yes
ssl = yes
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_extra_groups = mail
mail_uid = normal_user
mail_gid = normal_user
verbose_proctitle = yes
## This is the same uid and gid as postfix
first_valid_uid = 125
first_valid_gid = 125
```
I used makecrt.sh provided by the dovecot port install to make the ssl_key and ssl-cert, and then I put them in the place mentioned in dovecot.conf. Then I configured the mutttc on my client box, to include the following:

```
set folder="imaps://dovecot_host.localdomain:993"
set imap_pass="plain_text_password"
set mbox_type="Mbox"
set postponed="~/Mail/drafts"
set record="~/Mail/sent"
source ~/.mutt/mailboxes
set spoolfile="+INBOX"
set record="$HOME/Mail/sent"
set mbox="$HOME/Mail/mbox"
set postponed="$HOME/Mail/postponed"
set smtp_url="smtp://.localdomain"
set from="me@my-MacBook.local"
```
I don't have a proper domain name yet. But understand that I will need to run mkcert.sh again after I've got one. My question is: is this configuration correct, for imaps with mutt and dovecot (encryption for authentication and session)?

Thanks very much for any comments or advice.


----------



## maudib (Jun 10, 2011)

I didn't explain the question clearly in the first post of this thread. This is an attempt to explain my questions better:
I can connect from my mutt client box to my dovecot server after mkcert.sh has been run and the *cert* and *key* are in the correct location (according to dovecot.config file) and 
	
	



```
enable_plaintext_authentcation = no"
```
 is also in the dovecot.conf. Does this mean that user authentication is being performed by SSL or just that SSL is protecting an interior protocol that performs its own authentication?

If I run:
[cmd=]#openssl s_client -quiet -connect my_dovecot_server.domain:993[/cmd]
I get this in reponse:

```
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
```

What confused me was that I read somewhere that in an imaps connection that the client sent the server a public key. I can connect from the mutt client host by typing my password or putting it in the muttrc. But, like I said before, is proper *SSL* authentication happening?. To get proper encrypted authentication and sessions do you have to be your own CA (and give the client host a cert) or go to an official CA etc., or does the response I received and the fact that I can connect when 
	
	



```
enable_plaintext_authentication = no
```
 indicate that I've already got these things? Or just one of them (authentication)?. 

I will post my configs if necessary.

Thank you very much for shedding some light on the subject.


----------



## AndyUKG (Jun 11, 2011)

maudib said:
			
		

> What confused me was that I read somewhere that in an imaps connection that the client sent the server a public key.



Hi, where did you read that? Normally for IMAP you will authenticate with a password so I think you are worrying yourself over nothing. What is your main concern? That your connection is secure? If you are connecting to the IMAPS port then all passwords and data will be encrypted, which is the usual goal of implementing IMAPS.

thanks Andy.


----------



## kpa (Jun 11, 2011)

maudib said:
			
		

> What confused me was that I read somewhere that in an imaps connection that the client sent the server a public key.



This is true, the client sends its public key to the server for verification in case the server requires that the public key is signed by a trusted third party. However in almost all cases the server side verification is turned off and pretty much anything is accepted as the public key.


----------



## AndyUKG (Jun 13, 2011)

Kpa, are you referring to the fact the client will want to verify the certificate of the server? The client isn't actually required to send a key, just to verify that the server is who it says it is (via a CA certificate for example). Or are you talking about some kind of private key authentication? I wasn't aware of that if it exists...

cheers Andy.


----------



## kpa (Jun 13, 2011)

What I described above is the reverse of the normal verification where the client verifies the public key (certificate) presented by the server. It can be used for public key authentication of the clients that connect to the SSL/TLS protected service but it's not widely used.


----------



## AndyUKG (Jun 13, 2011)

Ah ok, in this case this option is not configured in maudib's dovecot config, so he won't have to worry about that, assuming it isn't a security requirement for him.

cheers Andy.


----------

