Home / server / Questions / 1066321
In Process
Michael Altfield
Asked: 2021-06-11 09:02:27 +0800 CST

How to stop OS/daemon information leakage in dovecot (server_tokens)?

  • 772

How do I stop dovecot from telling its clients what flavour of linux I'm running and that it's a dovecot imap server?

If I connect to my smtp server, I see the following snippet

user@host:~$ openssl s_client -crlf -connect mail.example.com:993
CONNECTED(00000003)
...
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready.
...
user@host:~$

Much to my dismay, the above output clearly indicates that I'm running a Debian server and that I'm using dovecot as my IMAP server.

In nginx, you can set server_tokens off to disable such information leakage.

In apache, it's

ServerTokens Prod
ServerSignature Off

What's the equivalent setting to tell dovecot not to leak the OS or imap server I'm running to clients?

imap email-server nginx dovecot apache2

1 Answers

  1. You can achieve this by setting the login_greeting option in dovecot.conf to the empty string

    Add the following to your dovecot.conf file:

    login_greeting = ''

    Restart dovecot. Now connection attempts should look like this:

    user@host:~$ openssl s_client -crlf -connect mail.example.com:993
CONNECTED(00000003)
...
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN]

...
user@host:~$
    • 0