[Dovecot] TLS Authentication Confusion

Tom Hendrikx tom at whyscream.net
Thu Nov 10 22:11:01 EET 2011


On 10-11-11 20:28, Dick Middleton wrote:
> On 11/10/11 19:17, Carlos Mennens wrote:
>> I asked a user today to make sure his incoming and outgoing email was
>> using TLS. He told me it wasn't possible because my Dovecot / Postfix
>> daemons were only listening on TCP 25 & 143 according to a port scan
>> he did. He told me the only way I could enable encrypted secure
>> sessions between the client & server is to enable port 993 (IMAPs).
> 
> Yes you are right.  Port 993 is for IMAPS (SSH).  TLS is normally on the same
> port as plain.
> 
> The difference between SSH and TLS is that with SSH the encryption is set up
> before any application communication takes place.  i.e all application packets
> are contained in the encrypted payload.  With TLS the application starts
> communication and then the application sets up encryption of its payload.
> 

You're contributing to the confusion.

SSL and TLS are practically the same, just another name for the same
beast. The only difference is that SSL is the old name, and newer
versions of the standard are labeled TLS. The term SSH is not in the
scope of this question.

There are 2 ways of using SSL/TLS to encrypt sessions:

1) Setup a dedicated port where a SSL/TLS session can be setup before
the actual data is transferred. This is what happens for IMAPS/993 and
SMTPS/465.

2) Extend an existing protocol to enable SSL/TLS during an open session.
This is called STARTTLS in several protocols, SMTP and IMAP being among
them. And this is what happens on SMTP/25, Submission/587 and IMAP/143.

Note that although the second option is *named* STARTTLS, you probably
could implement any server to *use* SSL 1.0 for the actual encryption
(not recommended though).

The OP is offering STARTTLS for both services, which is good.

--
Regards,
	Tom


More information about the dovecot mailing list