identify 143 vs 993 clients

Joseph Tam jtam.home at gmail.com
Mon Jun 1 02:10:16 EEST 2020


On Sun, 31 May 2020, Jean-Daniel wrote:

>> So yes the safest way to go is to just use port 993, but as long as
>> the client is not set to a "TLS if available" option then port 143 is
>> also safe.
> 
> I don?t think you can call an option safe if it relies on the users to
> properly configure their client.  We all know that users are usually
> bad at following instructions ;-)

I think Peter nailed it, but let's put it this way: the server policy
is irrelevant to client side policy.  *If* the client has been not been
configured to disable plaintext password, a malicious party can coax
a password out of a client, despite what the server policy is, or even
whether the server is available.

Only allowing implicit SSL will guarantee insecurely configured clients
will fail (and maybe not even that if it autoconfigures), but it doesn't
prevent them from being exploited.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list