[Dovecot] SSL with startssl.com certificates
Reindl Harald
h.reindl at thelounge.net
Mon Sep 16 17:56:15 EEST 2013
Am 16.09.2013 16:48, schrieb Dan Langille:
> On Sep 16, 2013, at 10:21 AM, Reindl Harald wrote:
>
>> Am 16.09.2013 16:10, schrieb Dan Langille:
>>>> Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs
>>>> has really be deprecated everywhere for some time now)
>>>
>>> For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went
>>> to my iPhone and turned off SSL for this mail account.
>>>
>>> That configuration works for my iPhone.
>>>
>>> Looking via tcpdump, I can see that emails are indeed being downloaded in clear text
>>
>> you need to understand the difference between IMAPS/POP3S on the dedicated
>> 9xx ports versus STARTLS on 143/110
>
> I believe I do understand.
>
>> http://en.wikipedia.org/wiki/STARTTLS
>
> Yes, that's what I those STARTTLS was.
>
>> if you turn off SSL it is turned off
>> on sane clients like thunderbird you can switch between cleartext/STARTTLS and SSL
>
> So far, with all we've tried, the only secure option appears to be self signed certificates
having like here since 2009 a Thawte certificate for SMTP/POP3/IMAP/HTTPS
without any issue is the better option because it is accepted by *any*
client and not *that* expensive
dealing with self-signed certificates is *plain wrong* because you educate
your users happily confirm SSL warnings in their clients and having
the final result of this in mind it's better not offer SSL at all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130916/08e349f6/attachment.bin>
More information about the dovecot
mailing list