How to stop OS/daemon information leakage in dovecot (server_tokens)?

Question

How do I stop dovecot from telling its clients what flavour of linux I'm running and that it's a dovecot imap server?

If I connect to my smtp server, I see the following snippet

user@host:~$ openssl s_client -crlf -connect mail.example.com:993
CONNECTED(00000003)
...
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready.
...
user@host:~$

Much to my dismay, the above output clearly indicates that I'm running a Debian server and that I'm using dovecot as my IMAP server.

In nginx, you can set server_tokens off to disable such information leakage.

In apache, it's

ServerTokens Prod
ServerSignature Off

What's the equivalent setting to tell dovecot not to leak the OS or imap server I'm running to clients?

What would the desired end result look like? Deviating from the defaults is just *adding* more information.. — anx, Jun 10 '21 at 17:10
Does this answer your question? [How do I change dovecot's imap and pop 'banner'?](https://serverfault.com/questions/1046848/how-do-i-change-dovecots-imap-and-pop-banner) — anx, Jun 10 '21 at 17:12
Be aware that doing this does not increase security in any meaningful way. — Michael Hampton, Jun 10 '21 at 17:19

score 0 · Answer 1 · answered Jun 10 '21 at 17:16

You can achieve this by setting the login_greeting option in dovecot.conf to the empty string

Add the following to your dovecot.conf file:

login_greeting = ''

Restart dovecot. Now connection attempts should look like this:

user@host:~$ openssl s_client -crlf -connect mail.example.com:993
CONNECTED(00000003)
...
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN]

...
user@host:~$

How to stop OS/daemon information leakage in dovecot (server_tokens)?

1 Answers1