On 5/14/2013 12:39 PM, /dev/rob0 wrote:
On 5/12/2013 4:17 AM, Steinar Bang wrote:
I prefer not to use clear text passwords, even over an encrypted connection. Why? Enforce the encrypted link by not allowing unencrypted connections. The simplest is iptables to block ports 110 and 143, while allowing 993 and 995. I don't understand this advice. Why would someone who is apparently interested in heightened transport security restrict himself to the
On Sun, May 12, 2013 at 05:40:10AM -0700, Professa Dementia wrote: older generation SSL v.2, which was long ago superceded by TLS v.1?
Forcing the connection to 993/995 does not imply SSLv2. TLSv1.[012] is still negotiated. There is no decrease in security.
http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0 http://wiki2.dovecot.org/SSL
Quoting from the latter page:
"Some admins want to require SSL/TLS, but don't realize that this is also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes and ssl=required settings)."
It's not unreasonable to disable the plaintext ports to minimize the possibility of a fat-fingered accident.
-- Noel Jones