how to setup IMAPs with letsencrypt

Shawn Heisey elyograg at
Fri Apr 22 13:45:03 UTC 2022

On 4/22/22 02:20, Jean-Daniel Dupas wrote:
> While it's true for SMTP, my experience is that IMAP clients prefer 
> imaps in 993 instead of STARTTLS.
> I have a server with only port 993 opened, and almost never had any 
> issue with client configuration.

I have noticed the opposite.  Every time I have configured a new mail 
client (which is most often but not always Thunderbird), it defaults to 
143 with STARTTLS.  Port 993 is available too, but my mail clients have 
never used it unless I explicitly configure it.

My dovecot is configured with "disable_plaintext_auth = yes" so only 
source IPs that are local to the machine (so the traffic never goes out 
on any network) are allowed to login without TLS. My webmail uses 
localhost so it is configured to use port 143 without encryption.

I know a lot of people are going to clamor that such traffic should be 
encrypted because it could be sniffed ... but if somebody has enough 
access such that they could sniff my backend services, the security 
battle is already lost, and they would be able to get any in-flight 
passwords even if the connection is encrypted.


More information about the dovecot mailing list