similar to: Allow both SSL/993 and STARTTLS/143 connections (secure only)

On 22.08.2017 03:56, Peter wrote: >>> Lest anyone think STARTTLS MITM doesn't happen, >>> >>> https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ > Right, the attack does happen, but it can be prevented by properly > configuring the server and client. Dovecot, by default, requires STARTTLS before accepting plaintext

I'm testing my new dovecot server with Thundirbird I can have it working on port 143 with STARTTLS, or on port 993 with SSL/TLS my uderstanding is that on 993 I get encrypted 'password and mail transfer' (yes ?) so what happens if I use 143 with STARTTLS, is that equivalent to port 993 if STARTTLS is used ? thanks for any insights.. -- Voytek

Hi, I have a postfix+dovecot-2.2.13 system and have configured it to support IMAPS on 993 with SSL/TLS. I'm noticing with users using Thunderbird, the autodetect defaults to IMAPS on 143 with STARTTLS. Which is preferred? Which is more secure? Which is more common? Why would someone choose one over the other? Can I ask the same question about SMTP and submission? Why would one choose 587

Robert Wolf wrote: >> else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you >> have enabled something like cram-md5. > > Hi, > > exactly, this is the reason, why plain-text is still needed. You don't need > encryption for authentication, if you have secure authentication. Without > knowing original password, the MITM cannot generate correct hash

I believe I have the configuration set to use START TLS on IMAP4 (143) and POP3 (110) ports. ?However, it does not seem to be working. ?Yet "STARTTLS" is listed as a capability (which tells me I probably do have it configured right). In the session below, 172.30.0.24 is the mail server I'm putting up. 64.26.60.229 is an outside mail service. A similar thing happens on POP3. The

Hi List, I have a dovecot which proxies to different backends depending on an entry in a mysql-database. The mysql-query sets ?ssl? to ?any-cert? and this works fine. But this causes me a problem: sieve-backends only support STARTTLS and if I set ?ssl? to ?any-cert? (or yes), it will attempt a TLS-connection to the sieve-backends, which fails. My attempt was to alter the query to include

I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to ?no?. Interestingly, if I set ssl=NULL and don?t set starttls at all, it still tries an SSL connection to the backend. Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and ssl-backends which would be a similar use-case to

> Le 29 mai 2020 ? 11:17, Stuart Henderson <stu at spacehopper.org> a ?crit : > > On 2020-05-26, mj <lists at merit.unu.edu> wrote: >> Hi, >> >> On 25/05/2020 23:04, Voytek wrote: >>> jumping here with a question, if I use 143 with STARTTLS, and, force >>> TLS/SSL in configuration, that's equivalent from security POV, isn't

I wanted to enable SSL on some alternate ports so that a limited number of people could try SSL access. But doing so enabled STARTTLS in IMAP, so that all IMAP users got surprised (at least those whose clients attempted to use it automatically). e.g.: # IP or host address where to listen in for SSL connections. Defaults # to above non-SSL equilevants if not specified. imaps_listen =

Am 05.05.2016 um 16:18 schrieb Gary Stainburn: > I've tried the changes that I put below. Users are still able to log in from > the LAN. > > However, despite putting the appropriate rule in my firewall allowing port 143 > I cannot create a user on a PC outside my network. > > I'm using Thunderbird to do the testing. Is there a better way to test my > setup?

Hi All, I am runnig sendmail 8.12.8. I am getting the below error. [root at mail MailScanner]# tail -f /var/log/maillog Jan 11 11:20:40 mail sendmail[10646]: STARTTLS: read error=generic SSL error (0) Jan 11 11:20:41 mail last message repeated 22494 times Jan 11 11:20:41 mail sendmail[10646]: STARTTLS: read error=generic SSL error (0) Jan 11 11:20:41 mail last message repeated 8894 times Jan 11

If I read this correctly, starttls will fail due to the MITM attack. That is the client knows security has been compromised. Using SSL/TLS, the MITM can use SSL stripping. Since most Postifx conf use "may" for security, the message would go though unencrypted. Correct??? Is there something to enable for perfect forward security with starttls? ? Original Message ? From: s.arcus at

Greetings - I have been looking at Dovecot with a view to migrating us to it from the Washington IMAP server on our Sun systems. To start our testing we first of all installed the pre-built version of Dovecot from the Blastwave (www.blastwave.org) community supported packaged software site. This was Dovecot 0.99.10.4 and we successfully got it working in our test environment: at first just

On Tue, 22 Aug 2017, Aki Tuomi wrote: > else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you > have enabled something like cram-md5. Hi, exactly, this is the reason, why plain-text is still needed. You don't need encryption for authentication, if you have secure authentication. Without knowing original password, the MITM cannot generate correct hash for login, so

On 1/5/2016 7:19 PM, Lee Brown wrote: > > A total guess would be to use either ldaps:// and don't bother with > start_tls, or add the :636 to the end of the ldap:// specification as it > seems to me that start_tls is pretty agnostic regarding whatever > protocol it works against (SMTP, LDAP, etc.). ie > > passdb backend = ldapsam:"ldaps://ldap-server-fqdn" >

Dear Dovecot lovers! When starting Dovecot 1.x the first time, it runs "ssl-build-params" to generate a file named "ssl-parameters.dat". This takes a couple of minutes. During this time users have no access to their mail, but this can be planned in advance and users can be notified. This is explained in http://wiki.dovecot.org/SSL/DovecotConfiguration With Dovecot 2.0.rc4,

hi everbody I have in my smb.conf ldap ssl = no ldap ssl ads = no and even: ldap server require strong auth = No yet in logs I see: [2016/09/14 11:25:05.248282, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Failed to issue the StartTLS instruction: Can't contact LDAP server and smbclient(any client) fails gee, that is weird! right? ldapsearch runs just fine.

On 21/08/17 16:25, Robert Wolf wrote: > On Mon, 21 Aug 2017, Sebastian Arcus wrote: > >> On 21/08/17 13:39, Robert Wolf wrote: >>> >>> On Mon, 21 Aug 2017, Sebastian Arcus wrote: >>> >>>> >>>> On 21/08/17 10:37, Gedalya wrote: >>>>> On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: >>>>>> is there a

I'm trying to adapt http://wiki2.dovecot.org/HowTo/ImapcProxy to our Exchange Server, which has LOGINDISABLED on Port 143, and I offering LOGIN on Port 993. How do I go about this? Simply changing imapc_port to: imapc_port = 993 doesnt work: Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS

Lest anyone think STARTTLS MITM doesn't happen, https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ Not only for security, I prefer port 993/995 as it's just plain simpler to initiate SSL from the get-go rather than to do some handshaking that gets you to the same point. Joseph Tam <jtam.home at gmail.com>