dovecot - Apr 2020 - got a listener on 993

Hello,

Before I get in to my question is ssl on 993 or starttls on 143 better
from a security perspective?

I've noticed that I've got a dovecot listener on port 993, below is my
doveconf -n output I don't have an imaps listener uncommented should I
do so and set it's port to 0? Will that disable the 993 listener?
Thanks.
Dave.

# 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (bf8ef1c2)
# OS: FreeBSD 12.1-RELEASE-p2 amd64
# Hostname: hostname.example.com
auth_cache_size = 10 M
auth_default_realm = example.com
auth_mechanisms = plain login
auth_realms = example.com
dict {
  lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf
}
first_valid_gid = 2100
first_valid_uid = 2100
hostname = hostname.example.com
imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep
tb-lsub-flags
imap_idle_notify_interval = 1 mins
last_valid_gid = 2100
last_valid_uid = 2100
lda_hostnamebox_autocreate = yes
lda_hostnamebox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = xxx.xxx.xxx.xxx
lmtp_rcpt_check_quota = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
hostname_access_groups = vhostname
hostname_fsync = never
hostname_gid = vhostname
hostname_home = /var/vhostname/hostnameboxes/%d/%n
hostname_location = dbox:~/hostname
hostname_plugins = acl fts fts_lucene mail_log notify quota trash
virtual welcome zlib mail_crypt
hostname_privileged_group = vhostname
hostname_server_admin = hostnameto:postmaster at example.com
hostname_uid = vhostname
managesieve_notify_capability = hostnameto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment hostnamebox date index ihave duplicate mime foreverypart
extracttext spamtest spamtestplus virustest editheader imapflags
notify imapsieve vnd.dovecot.imapsieve
namespace {
  location =
sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public
  prefix = Public/
  separator = /
  subscriptions = yes
  type = public
}
namespace {
  hidden = no
  list = yes
  location =
hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office
  prefix = shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
namespace inbox {
  inbox = yes
  location   hostnamebox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  hostnamebox Sent {
    auto = subscribe
    special_use = \Sent
  }
  hostnamebox Spam {
    auto = subscribe
    autoexpunge = 30 days
    special_use = \Junk
  }
  hostnamebox Trash {
    auto = subscribe
    autoexpunge = 30 days
    special_use = \Trash
  }
  prefix   separator = /
  type = private
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
  fts = lucene
  fts_autoindex = yes
  fts_autoindex_exclude = \Junk
  fts_autoindex_exclude2 = \Trash
  fts_autoindex_exclude3 = \Spam
  fts_autoindex_max_recent_msgs = 80
  fts_index_timeout = 90
  fts_lucene = whitespace_chars=@. normalize no_snowball
  imapsieve_hostnamebox1_before
file:/var/vhostname/sieve/global/learn-spam.sieve
  imapsieve_hostnamebox1_causes = COPY
  imapsieve_hostnamebox1_name = Spam
  imapsieve_hostnamebox2_before file:/var/vhostname/sieve/global/learn-ham.sieve
  imapsieve_hostnamebox2_causes = COPY
  imapsieve_hostnamebox2_from = Spam
  imapsieve_hostnamebox2_name = *
  last_login_dict = proxy::lastlogin
  last_login_key = # hidden, use -P to show it
  hostname_crypt_curve = prime256v1
  hostname_crypt_global_private_key = # hidden, use -P to show it
  hostname_crypt_global_public_key = # hidden, use -P to show it
  hostname_crypt_save_version = 2
  hostname_log_events = delete undelete expunge copy
hostnamebox_delete hostnamebox_rename
  hostname_log_fields = uid box msgid size
  quota = count:User quota
  quota_exceeded_message = Storage quota for this account has been
exceeded, please try again later.
  quota_grace = 10%%
  quota_rule2 = Trash:ignore
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 hostnamebox is full
  quota_status_success = DUNNO
  quota_vsizes = true
  quota_warning = storage=100%% quota-exceeded 100 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=75%% quota-warning 75 %u
  sieve =
file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve
  sieve_before = /var/vhostname/sieve/global/spam-global.sieve
  sieve_extensions = +notify +imapflags +spamtest +spamtestplus
+virustest +editheader
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
+vnd.dovecot.environment
  sieve_max_redirects = 30
  sieve_max_script_size = 1M
  sieve_pipe_bin_dir = /usr/bin
  sieve_plugins = sieve_imapsieve sieve_extprograms
  sieve_spamtest_max_header = X-Spamd-Result: default: [[:alnum:]]+
\[-?[[:digit:]]+\.[[:digit:]]+ / (-?[[:digit:]]+\.[[:digit:]]+)\]
  sieve_spamtest_status_header = X-Spamd-Result: default: [[:alnum:]]+
\[(-?[[:digit:]]+\.[[:digit:]]+) / -?[[:digit:]]+\.[[:digit:]]+\]
  sieve_spamtest_status_type = score
  sieve_user_log = /var/vhostname/sieve/sieve_error.log
  sieve_virustest_status_header = X-Virus-Scan: Found to be (.+)\.
  sieve_virustest_status_type = text
  sieve_virustest_text_value1 = clean
  sieve_virustest_text_value5 = infected
  trash = /usr/local/etc/dovecot/trash.conf
  welcome_script = welcome %n postmaster@%d
  welcome_wait = yes
}
postmaster_address = postmaster at example.com
protocols = imap lmtp sieve
sendhostname_path = /usr/local/sbin/sendhostname
service auth-worker {
  user = vhostname
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vhostname
    mode = 0666
    user = vhostname
  }
}
service dict {
  unix_listener dict {
    mode = 0600
    user = vhostname
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  process_min_avail = 1
}
service imap {
  executable = imap
}
service lmtp {
  executable = lmtp
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    address = 172.16.21.3
    port = 4190
  }
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  unix_listener /var/spool/postfix/private/dovecot-quota {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service quota-warning {
  executable = script /usr/local/etc/dovecot/quota-warning.sh
  unix_listener quota-warning {
    group = vhostname
    mode = 0660
    user = vhostname
  }
  user = vhostname
}
service stats {
  unix_listener stats-reader {
    group = vhostname
    mode = 0660
    user = vhostname
  }
  unix_listener stats-writer {
    group = vhostname
    mode = 0660
    user = vhostname
  }
}
service welcome {
  executable = script /usr/local/etc/dovecot/welcome.sh
  unix_listener welcome {
    user = vhostname
  }
  user = vhostname
}
ssl = required
ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_curve_list = P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_ticket
ssl_prefer_server_ciphers = yes
userdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lmtp {
  hostname_fsync = optimized
  hostname_plugins = acl fts fts_lucene hostname_log notify quota
trash virtual welcome zlib hostname_crypt sieve
}
protocol lda {
  hostname_fsync = optimized
  hostname_plugins = acl fts fts_lucene hostname_log notify quota
trash virtual welcome zlib hostname_crypt sieve
}
protocol imap {
  hostname_max_userip_connections = 20
  hostname_plugins = acl fts fts_lucene hostname_log notify quota
trash virtual welcome zlib hostname_crypt imap_acl imap_quota
imap_sieve imap_zlib last_login quota welcome
}
protocol sieve {
  info_log_path = /var/log/dovecot/dovecot-sieve.log
  log_path = /var/log/dovecot/dovecot-sieve-errors.log
}

Maybe this thread can help you with your first question :
https://dovecot.org/pipermail/dovecot/2014-August/097488.html


On 13.4.2020. 20:52, David Mehler wrote:
> Hello,
>
> Before I get in to my question is ssl on 993 or starttls on 143 better
> from a security perspective?
>
> I've noticed that I've got a dovecot listener on port 993, below is
my
> doveconf -n output I don't have an imaps listener uncommented should I
> do so and set it's port to 0? Will that disable the 993 listener?
> Thanks.
> Dave.
>
> # 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.10 (bf8ef1c2)
> # OS: FreeBSD 12.1-RELEASE-p2 amd64
> # Hostname: hostname.example.com
> auth_cache_size = 10 M
> auth_default_realm = example.com
> auth_mechanisms = plain login
> auth_realms = example.com
> dict {
>    lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf
> }
> first_valid_gid = 2100
> first_valid_uid = 2100
> hostname = hostname.example.com
> imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep
> tb-lsub-flags
> imap_idle_notify_interval = 1 mins
> last_valid_gid = 2100
> last_valid_uid = 2100
> lda_hostnamebox_autocreate = yes
> lda_hostnamebox_autosubscribe = yes
> lda_original_recipient_header = X-Original-To
> listen = xxx.xxx.xxx.xxx
> lmtp_rcpt_check_quota = yes
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> hostname_access_groups = vhostname
> hostname_fsync = never
> hostname_gid = vhostname
> hostname_home = /var/vhostname/hostnameboxes/%d/%n
> hostname_location = dbox:~/hostname
> hostname_plugins = acl fts fts_lucene mail_log notify quota trash
> virtual welcome zlib mail_crypt
> hostname_privileged_group = vhostname
> hostname_server_admin = hostnameto:postmaster at example.com
> hostname_uid = vhostname
> managesieve_notify_capability = hostnameto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment hostnamebox date index ihave duplicate mime foreverypart
> extracttext spamtest spamtestplus virustest editheader imapflags
> notify imapsieve vnd.dovecot.imapsieve
> namespace {
>    location =
sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public
>    prefix = Public/
>    separator = /
>    subscriptions = yes
>    type = public
> }
> namespace {
>    hidden = no
>    list = yes
>    location =
hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office
>    prefix = shared/%%u/
>    separator = /
>    subscriptions = yes
>    type = shared
> }
> namespace inbox {
>    inbox = yes
>    location >    hostnamebox Drafts {
>      auto = subscribe
>      special_use = \Drafts
>    }
>    hostnamebox Sent {
>      auto = subscribe
>      special_use = \Sent
>    }
>    hostnamebox Spam {
>      auto = subscribe
>      autoexpunge = 30 days
>      special_use = \Junk
>    }
>    hostnamebox Trash {
>      auto = subscribe
>      autoexpunge = 30 days
>      special_use = \Trash
>    }
>    prefix >    separator = /
>    type = private
> }
> passdb {
>    args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
>    driver = sql
> }
> plugin {
>    acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
>    fts = lucene
>    fts_autoindex = yes
>    fts_autoindex_exclude = \Junk
>    fts_autoindex_exclude2 = \Trash
>    fts_autoindex_exclude3 = \Spam
>    fts_autoindex_max_recent_msgs = 80
>    fts_index_timeout = 90
>    fts_lucene = whitespace_chars=@. normalize no_snowball
>    imapsieve_hostnamebox1_before >
file:/var/vhostname/sieve/global/learn-spam.sieve
>    imapsieve_hostnamebox1_causes = COPY
>    imapsieve_hostnamebox1_name = Spam
>    imapsieve_hostnamebox2_before >
file:/var/vhostname/sieve/global/learn-ham.sieve
>    imapsieve_hostnamebox2_causes = COPY
>    imapsieve_hostnamebox2_from = Spam
>    imapsieve_hostnamebox2_name = *
>    last_login_dict = proxy::lastlogin
>    last_login_key = # hidden, use -P to show it
>    hostname_crypt_curve = prime256v1
>    hostname_crypt_global_private_key = # hidden, use -P to show it
>    hostname_crypt_global_public_key = # hidden, use -P to show it
>    hostname_crypt_save_version = 2
>    hostname_log_events = delete undelete expunge copy
> hostnamebox_delete hostnamebox_rename
>    hostname_log_fields = uid box msgid size
>    quota = count:User quota
>    quota_exceeded_message = Storage quota for this account has been
> exceeded, please try again later.
>    quota_grace = 10%%
>    quota_rule2 = Trash:ignore
>    quota_status_nouser = DUNNO
>    quota_status_overquota = 552 5.2.2 hostnamebox is full
>    quota_status_success = DUNNO
>    quota_vsizes = true
>    quota_warning = storage=100%% quota-exceeded 100 %u
>    quota_warning2 = storage=95%% quota-warning 95 %u
>    quota_warning3 = storage=90%% quota-warning 90 %u
>    quota_warning4 = storage=85%% quota-warning 85 %u
>    quota_warning5 = storage=75%% quota-warning 75 %u
>    sieve =
file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve
>    sieve_before = /var/vhostname/sieve/global/spam-global.sieve
>    sieve_extensions = +notify +imapflags +spamtest +spamtestplus
> +virustest +editheader
>    sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
> +vnd.dovecot.environment
>    sieve_max_redirects = 30
>    sieve_max_script_size = 1M
>    sieve_pipe_bin_dir = /usr/bin
>    sieve_plugins = sieve_imapsieve sieve_extprograms
>    sieve_spamtest_max_header = X-Spamd-Result: default: [[:alnum:]]+
> \[-?[[:digit:]]+\.[[:digit:]]+ / (-?[[:digit:]]+\.[[:digit:]]+)\]
>    sieve_spamtest_status_header = X-Spamd-Result: default: [[:alnum:]]+
> \[(-?[[:digit:]]+\.[[:digit:]]+) / -?[[:digit:]]+\.[[:digit:]]+\]
>    sieve_spamtest_status_type = score
>    sieve_user_log = /var/vhostname/sieve/sieve_error.log
>    sieve_virustest_status_header = X-Virus-Scan: Found to be (.+)\.
>    sieve_virustest_status_type = text
>    sieve_virustest_text_value1 = clean
>    sieve_virustest_text_value5 = infected
>    trash = /usr/local/etc/dovecot/trash.conf
>    welcome_script = welcome %n postmaster@%d
>    welcome_wait = yes
> }
> postmaster_address = postmaster at example.com
> protocols = imap lmtp sieve
> sendhostname_path = /usr/local/sbin/sendhostname
> service auth-worker {
>    user = vhostname
> }
> service auth {
>    unix_listener /var/spool/postfix/private/auth {
>      group = postfix
>      mode = 0660
>      user = postfix
>    }
>    unix_listener auth-userdb {
>      group = vhostname
>      mode = 0666
>      user = vhostname
>    }
> }
> service dict {
>    unix_listener dict {
>      mode = 0600
>      user = vhostname
>    }
>    user = root
> }
> service imap-login {
>    inet_listener imap {
>      port = 143
>    }
>    process_min_avail = 1
> }
> service imap {
>    executable = imap
> }
> service lmtp {
>    executable = lmtp
>    unix_listener /var/spool/postfix/private/dovecot-lmtp {
>      group = postfix
>      mode = 0660
>      user = postfix
>    }
> }
> service managesieve-login {
>    inet_listener sieve {
>      address = 172.16.21.3
>      port = 4190
>    }
> }
> service quota-status {
>    client_limit = 1
>    executable = quota-status -p postfix
>    unix_listener /var/spool/postfix/private/dovecot-quota {
>      group = postfix
>      mode = 0660
>      user = postfix
>    }
> }
> service quota-warning {
>    executable = script /usr/local/etc/dovecot/quota-warning.sh
>    unix_listener quota-warning {
>      group = vhostname
>      mode = 0660
>      user = vhostname
>    }
>    user = vhostname
> }
> service stats {
>    unix_listener stats-reader {
>      group = vhostname
>      mode = 0660
>      user = vhostname
>    }
>    unix_listener stats-writer {
>      group = vhostname
>      mode = 0660
>      user = vhostname
>    }
> }
> service welcome {
>    executable = script /usr/local/etc/dovecot/welcome.sh
>    unix_listener welcome {
>      user = vhostname
>    }
>    user = vhostname
> }
> ssl = required
> ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
> ssl_curve_list = P-256
> ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_options = no_ticket
> ssl_prefer_server_ciphers = yes
> userdb {
>    args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
>    driver = sql
> }
> protocol lmtp {
>    hostname_fsync = optimized
>    hostname_plugins = acl fts fts_lucene hostname_log notify quota
> trash virtual welcome zlib hostname_crypt sieve
> }
> protocol lda {
>    hostname_fsync = optimized
>    hostname_plugins = acl fts fts_lucene hostname_log notify quota
> trash virtual welcome zlib hostname_crypt sieve
> }
> protocol imap {
>    hostname_max_userip_connections = 20
>    hostname_plugins = acl fts fts_lucene hostname_log notify quota
> trash virtual welcome zlib hostname_crypt imap_acl imap_quota
> imap_sieve imap_zlib last_login quota welcome
> }
> protocol sieve {
>    info_log_path = /var/log/dovecot/dovecot-sieve.log
>    log_path = /var/log/dovecot/dovecot-sieve-errors.log
> }
>

* David Mehler:
> Before I get in to my question is ssl on 993 or starttls on 143 better
> from a security perspective?
On the server side, it makes little difference. STARTTLS just means a
number of extra bytes are exchanged while an encrypted connection is
being established. If you want to support a wide range of clients,
expose both ports.

-Ralph

Am 13.04.20 um 20:52 schrieb David Mehler:
> Hello,
> 
> Before I get in to my question is ssl on 993 or starttls on 143 better
> from a security perspective?
implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3

Andreas

On Tue, 14 Apr 2020, Ivo wrote:
> Maybe this thread can help you with your first question :
> https://dovecot.org/pipermail/dovecot/2014-August/097488.html
I was more or less going to say the same thing.  Further to this,
it's more important to make sure your clients enforce SSL/STARTTLS
use by disabling auto-discovery, and if you're ultra-conservative,
certificate pinning.

Joseph Tam <jtam.home at gmail.com>

> Le 14 avr. 2020 ? 18:57, A. Schulze <sca at andreasschulze.de> a
?crit :
> 
> 
> 
> Am 13.04.20 um 20:52 schrieb David Mehler:
>> Hello,
>> 
>> Before I get in to my question is ssl on 993 or starttls on 143 better
>> from a security perspective?
> 
> implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3
One rational for this is to make sure broken clients don?t send  clear text
credential on port 143, even if STARTTLS is required.

So from a security perspective, you can consider TLS on port 943 a better
solution.