search for: rfc8314

...the STARTSSL capability from the server > response. And doing that it can as easily inject a LOGIN capability, making non-broken client also send the password in plain text. (Only broken client will send password if LOGIN is not present). That?s why this RFC exists: https://tools.ietf.org/html/rfc8314 <https://tools.ietf.org/html/rfc8314> > In a setting where you want to protect the clients from accidentally > exposing secrets by misconfiguration, allowing only 993/995 (and 465 for > SMTP; 25/587 have the same problem) is the safe way. Port 25 is a special case and should never...

...port = 993 ssl_protocols = TLSv1.2 TLSv1.3 ssl_cipher_list = ... } } Postfix let me easily define different TLS protocols on different ports. For that it would be cool if dovecot could assist on such migrations, too. Andreas *) see https://tools.ietf.org/html/rfc8314 as well as the draft https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate TLSv1.1

Hi, On 25/05/2020 23:04, Voytek wrote: > jumping here with a question, if I use 143 with STARTTLS, and, force > TLS/SSL in configuration, that's equivalent from security POV, isn't > it? and, same for 110 STARTTLS? Or am I missing something? Interesting point, after some googling, I think you are right, and as long as we have set "disable_plaintext_auth = yes" (and we

Hello all: For several years I have been running the following in a Linux server. Dovecot Version: 2.0.9 *IMAP:* Connection Security: SSL/TLS Port: 993 Authentication Method: Normal Password *SMTP:* Connection Security: STARTTLS Port: 587 Authentication Method: Normal Password The E-mail client is Thunderbird on Windows. I am preparing a new server, with Dovecot 2.2.36 and would like to know

...ssl_cipher_list = ... > > } > } > > > Postfix let me easily define different TLS protocols on different ports. > For that it would be cool if dovecot could assist on such migrations, too. > > Andreas > > *) see https://tools.ietf.org/html/rfc8314 > as well as the draft https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate TLSv1.1

Am 13.04.20 um 20:52 schrieb David Mehler: > Hello, > > Before I get in to my question is ssl on 993 or starttls on 143 better > from a security perspective? implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3 Andreas

...ulze.de> a ?crit : > > > > Am 13.04.20 um 20:52 schrieb David Mehler: >> Hello, >> >> Before I get in to my question is ssl on 993 or starttls on 143 better >> from a security perspective? > > implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3 One rational for this is to make sure broken clients don?t send clear text credential on port 143, even if STARTTLS is required. So from a security perspective, you can consider TLS on port 943 a better solution.

...ver >> response. > > And doing that it can as easily inject a LOGIN capability, making > non-broken client also send the password in plain text. (Only broken > client will send password if LOGIN is not present). > > That?s why this RFC exists: https://tools.ietf.org/html/rfc8314 > >> In a setting where you want to protect the clients from accidentally >> exposing secrets by misconfiguration, allowing only 993/995 (and 465 for >> SMTP; 25/587 have the same problem) is the safe way. > > Port 25 is a special case and should never be used by client...

...ould I stick to what I have? I would prefer to start with the easiest configuration possible, which I will revise later. > > This is the command that I have been using to verify the server's functionality: RFC 8314 suggest to prefer implicit TLS over STARTTLS https://tools.ietf.org/html/rfc8314#section-3 modern clients work mostly fine with that recommendation, too. Andreas

Hello, I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only. Is this possible with dovecot-2.2.36 / how to setup this? Thanks for suggestions, Andreas

Hello, Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective? I've noticed that I've got a dovecot listener on port 993, below is my doveconf -n output I don't have an imaps listener uncommented should I do so and set it's port to 0? Will that disable the 993 listener? Thanks. Dave. # 2.3.10 (0da0eff44):

> Le 27 juil. 2019 ? 14:30, Stephan Bosch <stephan at rename-it.nl> a ?crit : > > On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: >> Hello, >> >> I'm having trouble configuring the submission proxy. >> >> I have configured the submission service as follow: >> >> submission_host = smtp.example.com >>