I've set up my mail server by using postfix (mysql), dovecot, and applied a ssl certificate to mail.example.com with Let's encrypte.
I tried to get my mail with Gmail by importing the account [email protected], I couldn't do it with the SSL box checked, so I unchecked, and still got an error because of plaintext authentication.
[AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
So I modified :
/etc/dovecot/conf.d/10-auth.conf with disable_plaintext_auth = no
and
/etc/dovecot/conf.d/10-ssl.conf with ssl = required
I successfully get the mail in Gmail, but my question is : Is it secured ? I'm not sure to understand this :
ssl=yesanddisable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn't required to use it. The client is allowed to login with plaintext authentication even when SSL/TLS isn't enabled on the connection. This is insecure, because the plaintext password is exposed to the internet.
Is the password transmitted encrypted (because of the SSL configuration) or not (because of the plaintext configuration).
(From : https://wiki.dovecot.org/SSL/DovecotConfiguration)
If not, how can I secure it ? Or make it works properly to me and Gmail.
Thanks a lot
Your password is not transmitted unencrypted. It is, as you suspect, protected by the TLS encryption. The ssl = required enforces the use of TLS. The disable_plaintext_auth=noallows the authentication to send the password as is, inside, the encrypted connection. This is the defacto standard for most mail servers.
I would recommend using IMAP instead of POP3, if that is feasible for you.