[Dovecot] SSL / TLS

Michael Orlitzky michael at orlitzky.com
Sat Jun 27 00:46:02 EEST 2009


Timo Sirainen wrote:
> On Fri, 2009-06-26 at 23:39 +0400, Proskurin Kirill wrote:
>> SSL just binds to special port(like 993 in IMAP by default).
> 
> No, SSL is a protocol, just like TLS. It doesn't bind to any ports.
> http://wiki.dovecot.org/SSL
> 

To illustrate, both SSL and TLS as implemented in Dovecot utilize "SSL 
certificates."

A typical "TLS" session will work as follows:

1  The client connects to the IMAP service on port 143, unencrypted.
2  The server announces that it speaks TLS.
3  The client says "Ok, let's talk encrypted."
4  Magic occurs, and the session becomes encrypted. This step is where
    your "SSL" certificate is used.
5  The rest of the session is encrypted.

/Usually/, when people refer to SSL as opposed to TLS, they mean IMAPS 
or POPS. These differ in that there's no "Hey, I speak TLS" step. It is 
assumed that the conversation will begin according to some secure 
protocol, kind of like when you connect to a web server on port 443.

1  The client connects to IMAPS on port 993, and performs the secure
    handshake. Your "SSL" certificate is used in here somewhere.
2  Once the handshake has completed, the rest of the session is secure.

When implementing IMAPS/POPS you will usually use a different port, 
because if you tried to talk plaintext to the server, it would appear to 
be speaking gibberish (whatever secure protocol is being used).

With TLS enabled on a normal IMAP port, the switch from plaintext to 
encrypted is optional. Although, it's usually a good idea to force TLS, too.

Much of the confusion comes from the fact that you can use either 
protocol, TLSv1 or SSLv3 after the "Hey I speak TLS" step. Likewise, you 
can use TLSv1 with IMAPS or POPS, though it's use will be implied and 
there will be no "Hey, I speak TLS" step. There's really no agreement 
amongst mail clients as to the meaning of "Use SSL" and "Use TLS."

You may find it easiest to concentrate on the one distinction: does the 
session begin encrypted, or does it switch from plaintext to encrypted 
at some point? Once you've answered that, either of the SSLv3 or TLSv1 
protocols can be used, and they will both use your "SSL" certificate.

Ultimately, you may wind up using both, depending on your user base. 
Many versions of Outlook are screwy with regard to one or both of these 
methods.


More information about the dovecot mailing list