dovecot - Nov 2018 - different TLS protocols on different ports

Hello,

I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So
I've to enable TLS1.0 up to TLS1.3
For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only.

Is this possible with dovecot-2.2.36 / how to setup this?

Thanks for suggestions,
Andreas

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 14 November 2018 at 21:19 "A. Schulze" <
    <a
href="mailto:sca@andreasschulze.de">sca@andreasschulze.de</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    Hello,
   </div>
   <div>
    <br>
   </div>
   <div>
    I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So
I've to enable TLS1.0 up to TLS1.3
   </div>
   <div>
    For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only.
   </div>
   <div>
    <br>
   </div>
   <div>
    Is this possible with dovecot-2.2.36 / how to setup this?
   </div>
   <div>
    <br>
   </div>
   <div>
    Thanks for suggestions,
   </div>
   <div>
    Andreas
   </div>
  </blockquote>
  <div>
   Not possible I'm afraid.
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

Am 14.11.18 um 20:22 schrieb Aki Tuomi:
> Not possible I'm afraid.
Hello Aki,

is it not possible in 2.2.36 or not possible at all?

I stumbled upon RFC 8314 *) and I found it a welcome option to enforce more
modern protocols/ciphers.
IMAPS/SUBMISSIONS aren't used widely (at least to my knowlege, many
postmaster used to configure IMAP+SUBMISSION and STARTTLS)
Switching Clients to complete new ports is a chance to separate and dry out
legacy MUA's

I just tried this but that's no valid syntax tough:

	service imap-login {
	  inet_listener imap {
	    port = 143
            # using default protocols and ciphers...
	  }
	  inet_listener imaps {
	    port = 993
	    ssl_protocols = TLSv1.2 TLSv1.3
            ssl_cipher_list = ...
            
	  }
	}


Postfix let me easily define different TLS protocols on different ports.
For that it would be cool if dovecot could assist on such migrations, too.

Andreas

*) see https://tools.ietf.org/html/rfc8314
   as well as the draft
https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate
TLSv1.1

On Wed, 14 Nov 2018, Aki Tuomi wrote:
>> I'm providing IMAP+Starttls on port 143 for users with legacy MUA. 
So
>> I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to
>> enable TLS1.2 and TLS1.3 only.
>> 
>> Is this possible with dovecot-2.2.36 / how to setup this?
> 
> Not possible I'm afraid.
("Not possible" = challenge!)

Couldn't you run two different instances (with 2 separate run-time
directories), each listening on a different port with their own SSL
configuration?  Or would it clash somewhere?

If only a single running instance of dovecot is required, I guess you
can run dovecot on the localhost interface, and use 2 stunnel proxies.

Joseph Tam <jtam.home at gmail.com>