Hello,
Before I get in to my question is ssl on 993 or starttls on 143 better
from a security perspective?
I've noticed that I've got a dovecot listener on port 993, below is my
doveconf -n output I don't have an imaps listener uncommented should I
do so and set it's port to 0? Will that disable the 993 listener?
Thanks.
Dave.
# 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (bf8ef1c2)
# OS: FreeBSD 12.1-RELEASE-p2 amd64
# Hostname: hostname.example.com
auth_cache_size = 10 M
auth_default_realm = example.com
auth_mechanisms = plain login
auth_realms = example.com
dict {
lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf
}
first_valid_gid = 2100
first_valid_uid = 2100
hostname = hostname.example.com
imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep
tb-lsub-flags
imap_idle_notify_interval = 1 mins
last_valid_gid = 2100
last_valid_uid = 2100
lda_hostnamebox_autocreate = yes
lda_hostnamebox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = xxx.xxx.xxx.xxx
lmtp_rcpt_check_quota = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
hostname_access_groups = vhostname
hostname_fsync = never
hostname_gid = vhostname
hostname_home = /var/vhostname/hostnameboxes/%d/%n
hostname_location = dbox:~/hostname
hostname_plugins = acl fts fts_lucene mail_log notify quota trash
virtual welcome zlib mail_crypt
hostname_privileged_group = vhostname
hostname_server_admin = hostnameto:postmaster at example.com
hostname_uid = vhostname
managesieve_notify_capability = hostnameto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment hostnamebox date index ihave duplicate mime foreverypart
extracttext spamtest spamtestplus virustest editheader imapflags
notify imapsieve vnd.dovecot.imapsieve
namespace {
location =
sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public
prefix = Public/
separator = /
subscriptions = yes
type = public
}
namespace {
hidden = no
list = yes
location =
hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office
prefix = shared/%%u/
separator = /
subscriptions = yes
type = shared
}
namespace inbox {
inbox = yes
location hostnamebox Drafts {
auto = subscribe
special_use = \Drafts
}
hostnamebox Sent {
auto = subscribe
special_use = \Sent
}
hostnamebox Spam {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
}
hostnamebox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
}
prefix separator = /
type = private
}
passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
fts = lucene
fts_autoindex = yes
fts_autoindex_exclude = \Junk
fts_autoindex_exclude2 = \Trash
fts_autoindex_exclude3 = \Spam
fts_autoindex_max_recent_msgs = 80
fts_index_timeout = 90
fts_lucene = whitespace_chars=@. normalize no_snowball
imapsieve_hostnamebox1_before
file:/var/vhostname/sieve/global/learn-spam.sieve
imapsieve_hostnamebox1_causes = COPY
imapsieve_hostnamebox1_name = Spam
imapsieve_hostnamebox2_before file:/var/vhostname/sieve/global/learn-ham.sieve
imapsieve_hostnamebox2_causes = COPY
imapsieve_hostnamebox2_from = Spam
imapsieve_hostnamebox2_name = *
last_login_dict = proxy::lastlogin
last_login_key = # hidden, use -P to show it
hostname_crypt_curve = prime256v1
hostname_crypt_global_private_key = # hidden, use -P to show it
hostname_crypt_global_public_key = # hidden, use -P to show it
hostname_crypt_save_version = 2
hostname_log_events = delete undelete expunge copy
hostnamebox_delete hostnamebox_rename
hostname_log_fields = uid box msgid size
quota = count:User quota
quota_exceeded_message = Storage quota for this account has been
exceeded, please try again later.
quota_grace = 10%%
quota_rule2 = Trash:ignore
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 hostnamebox is full
quota_status_success = DUNNO
quota_vsizes = true
quota_warning = storage=100%% quota-exceeded 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
quota_warning5 = storage=75%% quota-warning 75 %u
sieve =
file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve
sieve_before = /var/vhostname/sieve/global/spam-global.sieve
sieve_extensions = +notify +imapflags +spamtest +spamtestplus
+virustest +editheader
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
+vnd.dovecot.environment
sieve_max_redirects = 30
sieve_max_script_size = 1M
sieve_pipe_bin_dir = /usr/bin
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_spamtest_max_header = X-Spamd-Result: default: [[:alnum:]]+
\[-?[[:digit:]]+\.[[:digit:]]+ / (-?[[:digit:]]+\.[[:digit:]]+)\]
sieve_spamtest_status_header = X-Spamd-Result: default: [[:alnum:]]+
\[(-?[[:digit:]]+\.[[:digit:]]+) / -?[[:digit:]]+\.[[:digit:]]+\]
sieve_spamtest_status_type = score
sieve_user_log = /var/vhostname/sieve/sieve_error.log
sieve_virustest_status_header = X-Virus-Scan: Found to be (.+)\.
sieve_virustest_status_type = text
sieve_virustest_text_value1 = clean
sieve_virustest_text_value5 = infected
trash = /usr/local/etc/dovecot/trash.conf
welcome_script = welcome %n postmaster@%d
welcome_wait = yes
}
postmaster_address = postmaster at example.com
protocols = imap lmtp sieve
sendhostname_path = /usr/local/sbin/sendhostname
service auth-worker {
user = vhostname
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vhostname
mode = 0666
user = vhostname
}
}
service dict {
unix_listener dict {
mode = 0600
user = vhostname
}
user = root
}
service imap-login {
inet_listener imap {
port = 143
}
process_min_avail = 1
}
service imap {
executable = imap
}
service lmtp {
executable = lmtp
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
address = 172.16.21.3
port = 4190
}
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
unix_listener /var/spool/postfix/private/dovecot-quota {
group = postfix
mode = 0660
user = postfix
}
}
service quota-warning {
executable = script /usr/local/etc/dovecot/quota-warning.sh
unix_listener quota-warning {
group = vhostname
mode = 0660
user = vhostname
}
user = vhostname
}
service stats {
unix_listener stats-reader {
group = vhostname
mode = 0660
user = vhostname
}
unix_listener stats-writer {
group = vhostname
mode = 0660
user = vhostname
}
}
service welcome {
executable = script /usr/local/etc/dovecot/welcome.sh
unix_listener welcome {
user = vhostname
}
user = vhostname
}
ssl = required
ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_curve_list = P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_ticket
ssl_prefer_server_ciphers = yes
userdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
hostname_fsync = optimized
hostname_plugins = acl fts fts_lucene hostname_log notify quota
trash virtual welcome zlib hostname_crypt sieve
}
protocol lda {
hostname_fsync = optimized
hostname_plugins = acl fts fts_lucene hostname_log notify quota
trash virtual welcome zlib hostname_crypt sieve
}
protocol imap {
hostname_max_userip_connections = 20
hostname_plugins = acl fts fts_lucene hostname_log notify quota
trash virtual welcome zlib hostname_crypt imap_acl imap_quota
imap_sieve imap_zlib last_login quota welcome
}
protocol sieve {
info_log_path = /var/log/dovecot/dovecot-sieve.log
log_path = /var/log/dovecot/dovecot-sieve-errors.log
}
Maybe this thread can help you with your first question : https://dovecot.org/pipermail/dovecot/2014-August/097488.html On 13.4.2020. 20:52, David Mehler wrote:> Hello, > > Before I get in to my question is ssl on 993 or starttls on 143 better > from a security perspective? > > I've noticed that I've got a dovecot listener on port 993, below is my > doveconf -n output I don't have an imaps listener uncommented should I > do so and set it's port to 0? Will that disable the 993 listener? > Thanks. > Dave. > > # 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.10 (bf8ef1c2) > # OS: FreeBSD 12.1-RELEASE-p2 amd64 > # Hostname: hostname.example.com > auth_cache_size = 10 M > auth_default_realm = example.com > auth_mechanisms = plain login > auth_realms = example.com > dict { > lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf > } > first_valid_gid = 2100 > first_valid_uid = 2100 > hostname = hostname.example.com > imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep > tb-lsub-flags > imap_idle_notify_interval = 1 mins > last_valid_gid = 2100 > last_valid_uid = 2100 > lda_hostnamebox_autocreate = yes > lda_hostnamebox_autosubscribe = yes > lda_original_recipient_header = X-Original-To > listen = xxx.xxx.xxx.xxx > lmtp_rcpt_check_quota = yes > log_timestamp = "%Y-%m-%d %H:%M:%S " > hostname_access_groups = vhostname > hostname_fsync = never > hostname_gid = vhostname > hostname_home = /var/vhostname/hostnameboxes/%d/%n > hostname_location = dbox:~/hostname > hostname_plugins = acl fts fts_lucene mail_log notify quota trash > virtual welcome zlib mail_crypt > hostname_privileged_group = vhostname > hostname_server_admin = hostnameto:postmaster at example.com > hostname_uid = vhostname > managesieve_notify_capability = hostnameto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment hostnamebox date index ihave duplicate mime foreverypart > extracttext spamtest spamtestplus virustest editheader imapflags > notify imapsieve vnd.dovecot.imapsieve > namespace { > location = sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public > prefix = Public/ > separator = / > subscriptions = yes > type = public > } > namespace { > hidden = no > list = yes > location = hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office > prefix = shared/%%u/ > separator = / > subscriptions = yes > type = shared > } > namespace inbox { > inbox = yes > location > hostnamebox Drafts { > auto = subscribe > special_use = \Drafts > } > hostnamebox Sent { > auto = subscribe > special_use = \Sent > } > hostnamebox Spam { > auto = subscribe > autoexpunge = 30 days > special_use = \Junk > } > hostnamebox Trash { > auto = subscribe > autoexpunge = 30 days > special_use = \Trash > } > prefix > separator = / > type = private > } > passdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > plugin { > acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 > fts = lucene > fts_autoindex = yes > fts_autoindex_exclude = \Junk > fts_autoindex_exclude2 = \Trash > fts_autoindex_exclude3 = \Spam > fts_autoindex_max_recent_msgs = 80 > fts_index_timeout = 90 > fts_lucene = whitespace_chars=@. normalize no_snowball > imapsieve_hostnamebox1_before > file:/var/vhostname/sieve/global/learn-spam.sieve > imapsieve_hostnamebox1_causes = COPY > imapsieve_hostnamebox1_name = Spam > imapsieve_hostnamebox2_before > file:/var/vhostname/sieve/global/learn-ham.sieve > imapsieve_hostnamebox2_causes = COPY > imapsieve_hostnamebox2_from = Spam > imapsieve_hostnamebox2_name = * > last_login_dict = proxy::lastlogin > last_login_key = # hidden, use -P to show it > hostname_crypt_curve = prime256v1 > hostname_crypt_global_private_key = # hidden, use -P to show it > hostname_crypt_global_public_key = # hidden, use -P to show it > hostname_crypt_save_version = 2 > hostname_log_events = delete undelete expunge copy > hostnamebox_delete hostnamebox_rename > hostname_log_fields = uid box msgid size > quota = count:User quota > quota_exceeded_message = Storage quota for this account has been > exceeded, please try again later. > quota_grace = 10%% > quota_rule2 = Trash:ignore > quota_status_nouser = DUNNO > quota_status_overquota = 552 5.2.2 hostnamebox is full > quota_status_success = DUNNO > quota_vsizes = true > quota_warning = storage=100%% quota-exceeded 100 %u > quota_warning2 = storage=95%% quota-warning 95 %u > quota_warning3 = storage=90%% quota-warning 90 %u > quota_warning4 = storage=85%% quota-warning 85 %u > quota_warning5 = storage=75%% quota-warning 75 %u > sieve = file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve > sieve_before = /var/vhostname/sieve/global/spam-global.sieve > sieve_extensions = +notify +imapflags +spamtest +spamtestplus > +virustest +editheader > sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute > +vnd.dovecot.environment > sieve_max_redirects = 30 > sieve_max_script_size = 1M > sieve_pipe_bin_dir = /usr/bin > sieve_plugins = sieve_imapsieve sieve_extprograms > sieve_spamtest_max_header = X-Spamd-Result: default: [[:alnum:]]+ > \[-?[[:digit:]]+\.[[:digit:]]+ / (-?[[:digit:]]+\.[[:digit:]]+)\] > sieve_spamtest_status_header = X-Spamd-Result: default: [[:alnum:]]+ > \[(-?[[:digit:]]+\.[[:digit:]]+) / -?[[:digit:]]+\.[[:digit:]]+\] > sieve_spamtest_status_type = score > sieve_user_log = /var/vhostname/sieve/sieve_error.log > sieve_virustest_status_header = X-Virus-Scan: Found to be (.+)\. > sieve_virustest_status_type = text > sieve_virustest_text_value1 = clean > sieve_virustest_text_value5 = infected > trash = /usr/local/etc/dovecot/trash.conf > welcome_script = welcome %n postmaster@%d > welcome_wait = yes > } > postmaster_address = postmaster at example.com > protocols = imap lmtp sieve > sendhostname_path = /usr/local/sbin/sendhostname > service auth-worker { > user = vhostname > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-userdb { > group = vhostname > mode = 0666 > user = vhostname > } > } > service dict { > unix_listener dict { > mode = 0600 > user = vhostname > } > user = root > } > service imap-login { > inet_listener imap { > port = 143 > } > process_min_avail = 1 > } > service imap { > executable = imap > } > service lmtp { > executable = lmtp > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0660 > user = postfix > } > } > service managesieve-login { > inet_listener sieve { > address = 172.16.21.3 > port = 4190 > } > } > service quota-status { > client_limit = 1 > executable = quota-status -p postfix > unix_listener /var/spool/postfix/private/dovecot-quota { > group = postfix > mode = 0660 > user = postfix > } > } > service quota-warning { > executable = script /usr/local/etc/dovecot/quota-warning.sh > unix_listener quota-warning { > group = vhostname > mode = 0660 > user = vhostname > } > user = vhostname > } > service stats { > unix_listener stats-reader { > group = vhostname > mode = 0660 > user = vhostname > } > unix_listener stats-writer { > group = vhostname > mode = 0660 > user = vhostname > } > } > service welcome { > executable = script /usr/local/etc/dovecot/welcome.sh > unix_listener welcome { > user = vhostname > } > user = vhostname > } > ssl = required > ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt > ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM > ssl_curve_list = P-256 > ssl_dh = # hidden, use -P to show it > ssl_key = # hidden, use -P to show it > ssl_min_protocol = TLSv1.2 > ssl_options = no_ticket > ssl_prefer_server_ciphers = yes > userdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > protocol lmtp { > hostname_fsync = optimized > hostname_plugins = acl fts fts_lucene hostname_log notify quota > trash virtual welcome zlib hostname_crypt sieve > } > protocol lda { > hostname_fsync = optimized > hostname_plugins = acl fts fts_lucene hostname_log notify quota > trash virtual welcome zlib hostname_crypt sieve > } > protocol imap { > hostname_max_userip_connections = 20 > hostname_plugins = acl fts fts_lucene hostname_log notify quota > trash virtual welcome zlib hostname_crypt imap_acl imap_quota > imap_sieve imap_zlib last_login quota welcome > } > protocol sieve { > info_log_path = /var/log/dovecot/dovecot-sieve.log > log_path = /var/log/dovecot/dovecot-sieve-errors.log > } >
* David Mehler:> Before I get in to my question is ssl on 993 or starttls on 143 better > from a security perspective?On the server side, it makes little difference. STARTTLS just means a number of extra bytes are exchanged while an encrypted connection is being established. If you want to support a wide range of clients, expose both ports. -Ralph
Am 13.04.20 um 20:52 schrieb David Mehler:> Hello, > > Before I get in to my question is ssl on 993 or starttls on 143 better > from a security perspective?implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3 Andreas
On Tue, 14 Apr 2020, Ivo wrote:> Maybe this thread can help you with your first question : > https://dovecot.org/pipermail/dovecot/2014-August/097488.htmlI was more or less going to say the same thing. Further to this, it's more important to make sure your clients enforce SSL/STARTTLS use by disabling auto-discovery, and if you're ultra-conservative, certificate pinning. Joseph Tam <jtam.home at gmail.com>
> Le 14 avr. 2020 ? 18:57, A. Schulze <sca at andreasschulze.de> a ?crit : > > > > Am 13.04.20 um 20:52 schrieb David Mehler: >> Hello, >> >> Before I get in to my question is ssl on 993 or starttls on 143 better >> from a security perspective? > > implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3One rational for this is to make sure broken clients don?t send clear text credential on port 143, even if STARTTLS is required. So from a security perspective, you can consider TLS on port 943 a better solution.