On Wed, 14 Nov 2018, Aki Tuomi wrote:>> I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So >> I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to >> enable TLS1.2 and TLS1.3 only. >> >> Is this possible with dovecot-2.2.36 / how to setup this? > > Not possible I'm afraid.("Not possible" = challenge!) Couldn't you run two different instances (with 2 separate run-time directories), each listening on a different port with their own SSL configuration? Or would it clash somewhere? If only a single running instance of dovecot is required, I guess you can run dovecot on the localhost interface, and use 2 stunnel proxies. Joseph Tam <jtam.home at gmail.com>
Am 14.11.18 um 22:46 schrieb Joseph Tam:> Couldn't you run two different instancesthat is the idea: Yes, I can run multiple instances... Thanks!
On 11/14/2018 01:46 PM, Joseph Tam wrote:> On Wed, 14 Nov 2018, Aki Tuomi wrote: > >>> I'm providing IMAP+Starttls on port 143 for users with legacy MUA.? So >>> I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to >>> enable TLS1.2 and TLS1.3 only. >>> >>> Is this possible with dovecot-2.2.36 / how to setup this? >> >> Not possible I'm afraid. > > ("Not possible" = challenge!) > > Couldn't you run two different instances (with 2 separate run-time > directories), each listening on a different port with their own SSL > configuration?? Or would it clash somewhere? > > If only a single running instance of dovecot is required, I guess you > can run dovecot on the localhost interface, and use 2 stunnel proxies. > > Joseph Tam <jtam.home at gmail.com>Honestly that violates the concept of KISS. Given that TLS 1.2 is now a decade old, do you really need to still allow clients not capable of TLS 1.0/1.1 ??? I still do but only allow cipher suites with Forward Secrecy. I don't run huge mail server, but from quick look at my logs I don't even see any clients connecting that aren't TLS 1.2 anymore. Might be easier to just give a six month notice that clients running TLS more than a decade old will no longer be supported.
On 11/14/2018 4:08 PM, Michael A. Peters wrote:> Honestly that violates the concept of KISS. > > Given that TLS 1.2 is now a decade old, do you really need to > still allow clients not capable of TLS 1.0/1.1 ??? > > I still do but only allow cipher suites with Forward Secrecy. > > I don't run huge mail server, but from quick look at my logs I > don't even see any clients connecting that aren't TLS 1.2 anymore. > > Might be easier to just give a six month notice that clients > running TLS more than a decade old will no longer be supported.+1 Strongly agree with this.? If you have enough users that you have use both hands to count them, running different protocols on different ports is a sure-fire way to annoy your users and create problems for support staff (eg. you).? Either allow the antique protocol everywhere, or give notice and cut it off.? ? -- Noel Jones