I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 & 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client & server is to enable port 993 (IMAPs). I told him that TLS is supported on my mail server over the default ports TCP 25 / 143 and that many consider IMAPs to be legacy. I sent him a telnet session of my PC communicating with my server & it shows TLS is available. I just wanted to be sure I was correct with the information above or am I completely wrong and I do indeed need TCP port 993? I know this is the Dovecot mailing list but since Dovecot and Postfix both use and support TLS in their configuration files, I figured I would ask here for your help! carloss at pc1:~$ telnet mail.holyghost.org 25 Trying 192.168.4.100... Connected to mail.holyghost.org. Escape character is '^]'. 220 mail.holyghost.org ESMTP Postfix EHLO pc1.holyghost.org 250-mail.holyghost.org 250-PIPELINING 250-SIZE 20480000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Below is a snip from my mail logs showing TLS: Nov 9 10:26:39 mail dovecot: imap-login: Login: user=<carlos>, method=PLAIN, rip=::ffff:192.168.4.100, lip=::ffff:192.168.4.100, TLS The above snip from my log means that I'm connecting to Dovecot via TLS, correct?
On 11/10/11 19:17, Carlos Mennens wrote:> I asked a user today to make sure his incoming and outgoing email was > using TLS. He told me it wasn't possible because my Dovecot / Postfix > daemons were only listening on TCP 25 & 143 according to a port scan > he did. He told me the only way I could enable encrypted secure > sessions between the client & server is to enable port 993 (IMAPs).Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on the same port as plain. The difference between SSH and TLS is that with SSH the encryption is set up before any application communication takes place. i.e all application packets are contained in the encrypted payload. With TLS the application starts communication and then the application sets up encryption of its payload. Dick
Carlos Mennens wrote, On 11/10/11 2:17 PM:> I asked a user today to make sure his incoming and outgoing email was > using TLS. He told me it wasn't possible because my Dovecot / Postfix > daemons were only listening on TCP 25& 143 according to a port scan > he did. He told me the only way I could enable encrypted secure > sessions between the client& server is to enable port 993 (IMAPs). I > told him that TLS is supported on my mail server over the default > ports TCP 25 / 143 and that many consider IMAPs to be legacy. I sent > him a telnet session of my PC communicating with my server& it shows > TLS is available. I just wanted to be sure I was correct with the > information above or am I completely wrong and I do indeed need TCP > port 993?You are correct. To convince your user, point him at http://en.wikipedia.org/wiki/STARTTLS which has links to the relevant RFC's.> > I know this is the Dovecot mailing list but since Dovecot and Postfix > both use and support TLS in their configuration files, I figured I > would ask here for your help! > > carloss at pc1:~$ telnet mail.holyghost.org 25 > Trying 192.168.4.100... > Connected to mail.holyghost.org. > Escape character is '^]'. > 220 mail.holyghost.org ESMTP Postfix > EHLO pc1.holyghost.org > 250-mail.holyghost.org > 250-PIPELINING > 250-SIZE 20480000 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > > Below is a snip from my mail logs showing TLS: > > Nov 9 10:26:39 mail dovecot: imap-login: Login: user=<carlos>, > method=PLAIN, rip=::ffff:192.168.4.100, lip=::ffff:192.168.4.100, TLS > > The above snip from my log means that I'm connecting to Dovecot via > TLS, correct?Yes