Gateway: disable_plaintext_auth not working?

Hi *!

I wonder if the disable_plaintext_auth setting in Kopano Gateway works.

I have set this to “yes” and restarted the gateway, but I still can login with my username and password without having started a TLS session. Do I misunderstand this setting? What should it do, if not preventing giving credentials over an unencrypted connection?

Proof:
for POP3:
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
USER myusername
+OK Waiting for password
PASS hiddenpassword
+OK Username and password accepted
STAT
+OK 1288 464710878
LIST 1
+OK 1 2909199
QUIT
+OK Bye

for IMAP
root@border:~# telnet localhost imap
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

  • OK [CAPABILITY IMAP4rev1 LITERAL+ STARTTLS AUTH=PLAIN] IMAP gateway ready
    ? LOGIN
    ? BAD LOGIN must have 2 arguments
    LOGIN
  • BAD Command not recognized
    ? LOGIN myusername hiddenpassword
    ? NO LOGIN wrong username or password
    ? LOGIN myusername hiddenpassword
    ? OK [CAPABILITY IMAP4rev1 LITERAL+ CHILDREN XAOL-OPTION NAMESPACE QUOTA IDLE] LOGIN completed

To answer my own question: when looking into the code, this setting works only for connections coming from the outside world:

From GIT: kopanocore/gateway/IMAP.cpp:
if (!lpChannel->UsingSsl()
&& lpChannel->sslctx()
&& plain && strcmp(plain, “yes”) == 0
&& lpChannel->peer_is_local() <= 0) { … }

When I set disable_plaintext_auth to yes and connect from the outside world to the gateway, everything works well:

proxy# telnet kopano.gateway.server.net pop3
Trying 1.2.3.4…
Connected to kopano.gateway.server.net.
Escape character is ‘^]’.
+OK POP3 gateway ready
USER myusername
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections
QUIT

It’s more a documentation problem than a technical …