On Sun, 31 May 2020, Jean-Daniel wrote:
So yes the safest way to go is to just use port 993, but as long as the client is not set to a "TLS if available" option then port 143 is also safe.
I don?t think you can call an option safe if it relies on the users to properly configure their client. We all know that users are usually bad at following instructions ;-)
I think Peter nailed it, but let's put it this way: the server policy is irrelevant to client side policy. *If* the client has been not been configured to disable plaintext password, a malicious party can coax a password out of a client, despite what the server policy is, or even whether the server is available.
Only allowing implicit SSL will guarantee insecurely configured clients will fail (and maybe not even that if it autoconfigures), but it doesn't prevent them from being exploited.
Joseph Tam jtam.home@gmail.com