just setting a new Dovecot server to migrate from older system, but, I have a general question: 1. I've set the server with self issued cert, and both pop/imap StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming terminology) is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? my current understanding is that some (MS?) clients might not support StartTLS/143 ? so best to offer both ? I think? some public WiFi block 993/995 but allow 143/110, hence, another advantage for using 143/110 thanks for any advice, V
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 21 Aug 2017, voytek at sbt.net.au wrote:> 1. I've set the server with self issued cert, and both pop/imap > StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming > terminology)That's fine. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWZp0pnz1H7kL/d9rAQIHfgf+Jj+y5Tm2h+13bI3qdsMTo5Yih6fCJlUl pK5Gunj1o4TNKVDQFq4xa0GUTs5G9+uWyfCiOyIwe8GH6auMxmOKqGTScwjdjRxg FVbmzxrLEB1XLoSCVpnuyoCIDZHTBJNdLBWvABBSnSDGV9ZusDvb0/5TzaEoFhlE kLrSj+wGiBMGlAaYoVAECy0oIakzCvV6InSk/c3A09RlwKUxypCdUqYXM01Eba1j EavikirKdL1YYMe7tXhsuomiA4gk9wSpDTzHhQgvZyTrESsrnFgm2rI+6Hnir8Iz cT8C9evkLQVYj8gNqXiTYadj2rutG5G9lotvMlQLcnobpFynvRf7hw==T5a0 -----END PGP SIGNATURE-----
On 21/08/17 00:28, voytek at sbt.net.au wrote:> just setting a new Dovecot server to migrate from older system, but, I > have a general question: > > 1. I've set the server with self issued cert, and both pop/imap > StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming > terminology) > > is there a 'preferred way'? should I tell users to use 143 over 993 ? or > 993 over 143? or?I believe the recommended way for years has been to use the encrypted/SSL versions of both IMAP and POP3 - so ports 993 and 995 respectively. Otherwise you are effectively sending data in plain text over the internet.> > my current understanding is that some (MS?) clients might not support > StartTLS/143 ? so best to offer both ?As far as I know, all popular email clients of the last 15 years, that I can think of, support POP3 on 995 and IMAP on 993 with SSL.> > I think? some public WiFi block 993/995 but allow 143/110, hence, another > advantage for using 143/110I never heard about his, Maybe others have. I guess this would be even more of a reason to use the encrypted versions of the protocols.
On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote:> is there a 'preferred way'? should I tell users to use 143 over 993 ? or > 993 over 143? or?There is no concrete answer. There are various opinions and feelings about this. The opinion againt 993/995 is that these are not standard ports, and there is no need to allocate new ports for the secure version of each protocol since we can use STARTTLS. The problem with 110/143 is that security depends on settings on both ends: The client must be configured to negotiate STARTTLS as mandatory, and refuse to talk to the server when that doesn't work. The server must also refuse to talk to clients without STARTTLS. Since some mail clients support "opportunistic" STARTTLS, that is, use port 143 and use STARTTLS *if / when* available, some people feel there are too many subtleties involved, and ports 993/995 just make all this go away. Requiring STARTTLS on the server side doesn't prevent a man-in-the-middle attack. The client must be configured to insist on negotiating STARTTLS with a server with a verified certificate.> my current understanding is that some (MS?) clients might not support > StartTLS/143 ? so best to offer both ?Their newest clients do support STARTTLS. I don't remember exactly but maybe Outlook 2003 or so didn't support it.> I think? some public WiFi block 993/995 but allow 143/110, hence, another > advantage for using 143/110Never heard of this either.
On 21/08/17 10:37, Gedalya wrote:> On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: >> is there a 'preferred way'? should I tell users to use 143 over 993 ? or >> 993 over 143? or? > There is no concrete answer. There are various opinions and feelings about this. > The opinion againt 993/995 is that these are not standard ports,Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)