[Dovecot] TLS Authentication Confusion

Noel noeldude at gmail.com
Thu Nov 10 22:21:49 EET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
On 11/10/2011 2:11 PM, Tom Hendrikx wrote:
> On 10-11-11 20:28, Dick Middleton wrote:
>> On 11/10/11 19:17, Carlos Mennens wrote:
>>> I asked a user today to make sure his incoming and outgoing email was
>>> using TLS. He told me it wasn't possible because my Dovecot / Postfix
>>> daemons were only listening on TCP 25 & 143 according to a port scan
>>> he did. He told me the only way I could enable encrypted secure
>>> sessions between the client & server is to enable port 993 (IMAPs).
>>
>> Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on
the same
>> port as plain.
>>
>> The difference between SSH and TLS is that with SSH the encryption
is set up
>> before any application communication takes place. i.e all
application packets
>> are contained in the encrypted payload. With TLS the application
starts
>> communication and then the application sets up encryption of its
payload.
>>
>
> You're contributing to the confusion.
>
> SSL and TLS are practically the same, just another name for the same
> beast. The only difference is that SSL is the old name, and newer
> versions of the standard are labeled TLS. The term SSH is not in the
> scope of this question.
>
> There are 2 ways of using SSL/TLS to encrypt sessions:
>
> 1) Setup a dedicated port where a SSL/TLS session can be setup before
> the actual data is transferred. This is what happens for IMAPS/993 and
> SMTPS/465.
>
> 2) Extend an existing protocol to enable SSL/TLS during an open
session.
> This is called STARTTLS in several protocols, SMTP and IMAP being among
> them. And this is what happens on SMTP/25, Submission/587 and IMAP/143.
>
> Note that although the second option is *named* STARTTLS, you probably
> could implement any server to *use* SSL 1.0 for the actual encryption
> (not recommended though).
>
> The OP is offering STARTTLS for both services, which is good.
>
> --
> Regards,
> Tom

The confusion is caused by the way some client software
differentiate these services in their configuration, often referring
to wrappermode smtps/imaps as "SSL", and STARTTLS as "TLS".



  -- Noel Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQEcBAEBAgAGBQJOvDJcAAoJEHIluGOd3V4F6foH/16+xq91/j4hgXufdnAsxwW1
N2ZXf1fby7TjR4BpaYNdH6PsN5/UqFSZItVYkeDXWgGG/wYCTRC+LHdks/EeQKgR
1ondUL2iorQ7bGy25m3526DGShFmcEh7P+Z6WWwdFeOTLBS57LIgwvFHBg4niYHq
3ZbPOjzI+d7kbz8tT8ATb+Ju+uJlV2rpbZKHQ90qlOR9tRl6bUOEeW32yPf5hjpI
gs89o66Ud+mb9kkH9vgrhnutxsWjVxWNWM1ba43S1bh4Jg9YneIdsHdQVQSPrFUz
EPy5Tgz3b+LZC6lwe6czFrhYgv/GUiJutS34qRHLSMAQGY+fgOcZBSZQHKP7NC4=
=TdNE
-----END PGP SIGNATURE-----



More information about the dovecot mailing list