identify 143 vs 993 clients

Stuart Henderson stu at spacehopper.org
Fri May 29 12:17:29 EEST 2020


On 2020-05-26, mj <lists at merit.unu.edu> wrote:
> Hi,
>
> On 25/05/2020 23:04, Voytek wrote:
>> jumping here with a question, if I use 143 with STARTTLS, and, force
>> TLS/SSL in configuration, that's equivalent from security POV, isn't
>> it? and, same for 110 STARTTLS? Or am I missing something?
> Interesting point, after some googling, I think you are right, and as 
> long as we have set "disable_plaintext_auth = yes" (and we have that) we 
> should be fine keeping 143 open. Right?

In the case of 143, nothing stops the client *sending* a plaintext login
request. Login may be denied, but the password is already leaked. Also
if you have only the server side (not the client side) deny plaintext
logins, a MITM can just strip off the STARTSSL capability from the server
response.

In a setting where you want to protect the clients from accidentally
exposing secrets by misconfiguration, allowing only 993/995 (and 465 for
SMTP; 25/587 have the same problem) is the safe way.




More information about the dovecot mailing list