Carlos Williams a écrit :
On Fri, Jun 26, 2009 at 5:46 PM, Michael Orlitzkymichael@orlitzky.com wrote:
A typical "TLS" session will work as follows:
1 The client connects to the IMAP service on port 143, unencrypted. 2 The server announces that it speaks TLS. 3 The client says "Ok, let's talk encrypted." 4 Magic occurs, and the session becomes encrypted. This step is where your "SSL" certificate is used. 5 The rest of the session is encrypted.
Thats a great and informative breakdown. I guess I just don't see a benefit of using either over another. It would appear that using SSL where the session is assumed before established to be encrypted rather than switching to encrypted just saves time. They both appear to do the same thing. Obviously from what I read, TLS is newer than SSL but sometimes thats not always a good thing. I just don't know in this case. Do you recommend I do one over the other? I don't really have a requirement here at all yet so that being said, I would rather someone who has better understand of this tell me what they would do for a simple Postfix / Dovecot install on a Linux server.
Any recommendations?
ok I will explain how I see things about TLS and SSL and how I configured our mail server and our network in the university. (because of the diffiiculty of the langage these is translate by google with some adjustement) My view is a simplistic and paranoid: there is a local network where are the colleagues and the gentiles, and there are outdoor, internet, populated by villains, thieves, spies who do everything for you not steal only passwords but also your correspondence. When colleagues leave the local network to go outside with their laptops. if they want to check their mail, we must tell them : configure your mail client (thunderbird) to use TLS. In reality, these colleagues do not configure their client to use TLS, despite our advice, because on port imap (143) they can read mail in plain text without TLS. why do they bother to go to a panel that they did not understand, to check boxes mysterious while it works very well like that. As against them if you delete the imap port (143) even with TLS and leave only the SSL port (993). Members are required to configure the client to use SSL. and you can safely send out the encrypted connection is required. This is the protocol: the server announces its capability but can not force the use of TLS which is an initiative of the client.
So for our server configuration, I enabled port 143 (with TLS) and 993, port 143 is only accessible from the local network, and is filtered by a firewall for internet connections (iptable or ACL iptable cisco do this very well). In reality, it is obviously more complicated because we have vlan and vpn.
jean-noël