IMAP on 993/SSL or 143/STARTTLS?
Gedalya
gedalya at gedalya.net
Mon Aug 18 03:03:20 UTC 2014
On 08/17/2014 10:45 PM, Alex wrote:
> Hi,
>
> I have a postfix+dovecot-2.2.13 system and have configured it to support
> IMAPS on 993 with SSL/TLS. I'm noticing with users using Thunderbird, the
> autodetect defaults to IMAPS on 143 with STARTTLS.
>
> Which is preferred? Which is more secure? Which is more common?
>
> Why would someone choose one over the other?
>
> Can I ask the same question about SMTP and submission? Why would one choose
> 587 with STARTTLS versus 465 with SSL/TLS?
>
> Thanks,
> Alex
Implicit SSL ports were specified before STARTTLS was specified,
therefore they are considered deprecated.
There is no major difference between the two in terms of security or
functionality. Ultimately they both just work. And ultimately you
probably want to simply support both for maximum compatibility. (For
older versions of Microsoft Outlook you _must_ support port 465 because
they didn't support STARTTLS, although I don't know how many of these
are still out there.)
Technically one can argue that STARTTLS is less secure because it starts
off in plaintext (there even was an exploit recently against STARTTLS in
nginx's SMTP proxy [1]) but that's anecdotal in my opinion, and the
general opinion seems to be in favor of deprecating 993/995/465. A
man-in-the-middle can very easily filter out STARTTLS from the
conversation and this would be effective against _opportunistic_
STARTTLS, but the equivalent of port 993 is a client that requires
STARTTLS and refuses to log in otherwise. From an admin's point of view,
you would prefer to support just one port per service, and 110/143/25
are the "real" standard ports and people seem to lean towards that.
Whatever anyone says about this topic will start a flamewar.
[1] http://nginx.org/en/CHANGES-1.6
More information about the dovecot
mailing list