On 22/4/22 7:44 am, alice at coakmail.com wrote:>> On 22/4/22 7:25 am, alice at coakmail.com wrote: >> > Thanks. I will give a try. > after enabling SSL, can I disable port 143 entirely? >Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS on port 993 -- Jeremy -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220422/51d351ad/attachment.htm> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20220422/51d351ad/attachment.sig>
On 2022-04-22 01:50, Jeremy Ardley wrote:> On 22/4/22 7:44 am, alice at coakmail.com wrote: > >>> On 22/4/22 7:25 am, alice at coakmail.com wrote: >> >> Thanks. I will give a try. >> after enabling SSL, can I disable port 143 entirely? > > Probably a bad idea. Many clients use STARTTTLS on port 143 rather > than TLS on port 993keeping footprint of servers minimal risk is not a bad idea
On 22/4/22 7:50 am, Jeremy Ardley wrote:> On 22/4/22 7:44 am, alice at coakmail.com wrote: >>> On 22/4/22 7:25 am,alice at coakmail.com wrote: >>> >> Thanks. I will give a try. >> after enabling SSL, can I disable port 143 entirely? >> > Probably a bad idea. Many clients use STARTTTLS on port 143 rather > than TLS on port 993 > >I forgot to mention that in /etc/dovecot/dovecot.conf you don't need to specify imaps. Dovecot automatically listens on port 993 and 143 when ssl is specified and applies the ssl directive as indicated. #global # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pe protocols = imap lmtp sieve #specific domain override local mail.example.com { ? protocol imap { ???? ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem ???? ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem ? } } It is possible to generate a wildcard letsencrypt certificate *.example.com but the process is tricky and has unexpected side-effects such as typo.example.com resolves to example.com in DNS -- Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20220422/00f5da09/attachment.sig>
> Le 22 avr. 2022 ? 01:50, Jeremy Ardley <jeremy at ardley.org> a ?crit : > > > > On 22/4/22 7:44 am, alice at coakmail.com <mailto:alice at coakmail.com> wrote: >>> On 22/4/22 7:25 am, alice at coakmail.com <mailto:alice at coakmail.com> wrote: >>> >> Thanks. I will give a try. >> after enabling SSL, can I disable port 143 entirely? >> > Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS on port 993 >While it's true for SMTP, my experience is that IMAP clients prefer imaps in 993 instead of STARTTLS. I have a server with only port 993 opened, and almost never had any issue with client configuration. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220422/f508ce07/attachment.htm>