Hello, I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only. Is this possible with dovecot-2.2.36 / how to setup this? Thanks for suggestions, Andreas
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 14 November 2018 at 21:19 "A. Schulze" < <a href="mailto:sca@andreasschulze.de">sca@andreasschulze.de</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> Hello, </div> <div> <br> </div> <div> I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 </div> <div> For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only. </div> <div> <br> </div> <div> Is this possible with dovecot-2.2.36 / how to setup this? </div> <div> <br> </div> <div> Thanks for suggestions, </div> <div> Andreas </div> </blockquote> <div> Not possible I'm afraid. </div> <div class="io-ox-signature"> --- <br>Aki Tuomi </div> </body> </html>
Am 14.11.18 um 20:22 schrieb Aki Tuomi:> Not possible I'm afraid.Hello Aki, is it not possible in 2.2.36 or not possible at all? I stumbled upon RFC 8314 *) and I found it a welcome option to enforce more modern protocols/ciphers. IMAPS/SUBMISSIONS aren't used widely (at least to my knowlege, many postmaster used to configure IMAP+SUBMISSION and STARTTLS) Switching Clients to complete new ports is a chance to separate and dry out legacy MUA's I just tried this but that's no valid syntax tough: service imap-login { inet_listener imap { port = 143 # using default protocols and ciphers... } inet_listener imaps { port = 993 ssl_protocols = TLSv1.2 TLSv1.3 ssl_cipher_list = ... } } Postfix let me easily define different TLS protocols on different ports. For that it would be cool if dovecot could assist on such migrations, too. Andreas *) see https://tools.ietf.org/html/rfc8314 as well as the draft https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate TLSv1.1
On Wed, 14 Nov 2018, Aki Tuomi wrote:>> I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So >> I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to >> enable TLS1.2 and TLS1.3 only. >> >> Is this possible with dovecot-2.2.36 / how to setup this? > > Not possible I'm afraid.("Not possible" = challenge!) Couldn't you run two different instances (with 2 separate run-time directories), each listening on a different port with their own SSL configuration? Or would it clash somewhere? If only a single running instance of dovecot is required, I guess you can run dovecot on the localhost interface, and use 2 stunnel proxies. Joseph Tam <jtam.home at gmail.com>