similar to: pop 110/995, imap 143/993 ?

On 21/08/17 10:37, Gedalya wrote: > On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: >> is there a 'preferred way'? should I tell users to use 143 over 993 ? or >> 993 over 143? or? > There is no concrete answer. There are various opinions and feelings about this. > The opinion againt 993/995 is that these are not standard ports, Out of curiosity, is there a

On 21/08/17 13:39, Robert Wolf wrote: > > On Mon, 21 Aug 2017, Sebastian Arcus wrote: > >> >> On 21/08/17 10:37, Gedalya wrote: >>> On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: >>>> is there a 'preferred way'? should I tell users to use 143 over 993 ? or >>>> 993 over 143? or? >>> There is no concrete answer. There

On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: > is there a 'preferred way'? should I tell users to use 143 over 993 ? or > 993 over 143? or? There is no concrete answer. There are various opinions and feelings about this. The opinion againt 993/995 is that these are not standard ports, and there is no need to allocate new ports for the secure version of each protocol since we

On Mon, 21 Aug 2017, Sebastian Arcus wrote: > > On 21/08/17 10:37, Gedalya wrote: > > On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: > > > is there a 'preferred way'? should I tell users to use 143 over 993 ? or > > > 993 over 143? or? > > There is no concrete answer. There are various opinions and feelings about > > this. > > The

On Mon, 21 Aug 2017, Sebastian Arcus wrote: > On 21/08/17 13:39, Robert Wolf wrote: > > > > On Mon, 21 Aug 2017, Sebastian Arcus wrote: > > > > > > > > On 21/08/17 10:37, Gedalya wrote: > > > > On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: > > > > > is there a 'preferred way'? should I tell users to use 143 over

On 21/08/17 22:18, Joseph Tam wrote: > > Lest anyone think STARTTLS MITM doesn't happen, > > https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ > > Not only for security, I prefer port 993/995 as it's just plain simpler > to initiate SSL from the get-go rather than to do some handshaking that > gets you to the same

Gary <lists at lazygranch.com> writes: > If I read this correctly, starttls will fail due to the MITM attack. > That is the client knows security has been compromised. I'm not sure what you man by "fail". STARTTLS is prone to MITM attacks if a client has not been configured to refuse non-STARTTLS/SSL sessions. For clients that will allow both secured and plaintext

On Tue, 22 Aug 2017, Ivan Warren wrote: > Le 8/22/2017 ? 10:03 AM, Robert Wolf a ?crit?: > > > > WRONG!!! The email is stored plain-text on the first server and then it can > > be > > sent to other few MX servers over plain-text connection. I.e. encrypted > > connection does not protect emails, but the authentication credentials. > > > > > Indeed.

On Tue, 22 Aug 2017, Aki Tuomi wrote: > else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you > have enabled something like cram-md5. Hi, exactly, this is the reason, why plain-text is still needed. You don't need encryption for authentication, if you have secure authentication. Without knowing original password, the MITM cannot generate correct hash for login, so

Lest anyone think STARTTLS MITM doesn't happen, https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ Not only for security, I prefer port 993/995 as it's just plain simpler to initiate SSL from the get-go rather than to do some handshaking that gets you to the same point. Joseph Tam <jtam.home at gmail.com>

On 21/08/17 16:25, Robert Wolf wrote: > On Mon, 21 Aug 2017, Sebastian Arcus wrote: > >> On 21/08/17 13:39, Robert Wolf wrote: >>> >>> On Mon, 21 Aug 2017, Sebastian Arcus wrote: >>> >>>> >>>> On 21/08/17 10:37, Gedalya wrote: >>>>> On 08/21/2017 07:28 AM, voytek at sbt.net.au wrote: >>>>>> is there a

On 22.08.2017 03:56, Peter wrote: >>> Lest anyone think STARTTLS MITM doesn't happen, >>> >>> https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ > Right, the attack does happen, but it can be prevented by properly > configuring the server and client. Dovecot, by default, requires STARTTLS before accepting plaintext

Robert Wolf wrote: >> else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you >> have enabled something like cram-md5. > > Hi, > > exactly, this is the reason, why plain-text is still needed. You don't need > encryption for authentication, if you have secure authentication. Without > knowing original password, the MITM cannot generate correct hash

>> Lest anyone think STARTTLS MITM doesn't happen, >> >> https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ Right, the attack does happen, but it can be prevented by properly configuring the server and client. >> Not only for security, I prefer port 993/995 as it's just plain >> simpler to initiate SSL from the get-go

If I read this correctly, starttls will fail due to the MITM attack. That is the client knows security has been compromised. Using SSL/TLS, the MITM can use SSL stripping. Since most Postifx conf use "may" for security, the message would go though unencrypted. Correct??? Is there something to enable for perfect forward security with starttls? ? Original Message ? From: s.arcus at

I'm trying to setup per user '+spam' delivery from amavis tags, so that each user gets any mails tagged as spam to 'spam' Maildir via +spam Dovecot lmtp delivery. after say 7 days I want to delete all spams older than 7 days, if I simply delete mail files from the file system, is that a 'bad thing' ? what is a proper way to do that, and scripts ? for

I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone similar issues reported, do I have my conf correct, I have; # cat dovecot.conf | grep ssl ssl = required verbose_ssl = no ssl_cert =

Hello Mates, I am facing a really weird issue with my mail server, somehow I cannot connect using port 993. It works with 143 but not 993 nor 995. Here is a little bit of more information: # telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+

This is still happening after a reboot, Fedora 28. Restarting dovecot fixes the problem. Does anyone know if it could be related to this bug report? *https://bugzilla.redhat.com/show_bug.cgi?id=103401#c130 <https://bugzilla.redhat.com/show_bug.cgi?id=103401#c130> * and suggested work around to add ports to /proc/sys/net/ipv4/ip_local_reserved_ports? Nov 8 12:21:41 ourdomain dovecot[1386]:

I'm testing my new dovecot server with Thundirbird I can have it working on port 143 with STARTTLS, or on port 993 with SSL/TLS my uderstanding is that on 993 I get encrypted 'password and mail transfer' (yes ?) so what happens if I use 143 with STARTTLS, is that equivalent to port 993 if STARTTLS is used ? thanks for any insights.. -- Voytek