Carlos Williams wrote:
On Fri, Jun 26, 2009 at 5:46 PM, Michael Orlitzkymichael@orlitzky.com wrote:
A typical "TLS" session will work as follows:
1 The client connects to the IMAP service on port 143, unencrypted. 2 The server announces that it speaks TLS. 3 The client says "Ok, let's talk encrypted." 4 Magic occurs, and the session becomes encrypted. This step is where your "SSL" certificate is used. 5 The rest of the session is encrypted.
Thats a great and informative breakdown. I guess I just don't see a benefit of using either over another. It would appear that using SSL where the session is assumed before established to be encrypted rather than switching to encrypted just saves time. They both appear to do the same thing. Obviously from what I read, TLS is newer than SSL but sometimes thats not always a good thing. I just don't know in this case. Do you recommend I do one over the other? I don't really have a requirement here at all yet so that being said, I would rather someone who has better understand of this tell me what they would do for a simple Postfix / Dovecot install on a Linux server.
The benefit of using TLS via STARTTLS (Hey, I speak TLS...) is that you can offer both encrypted and plaintext IMAP on the same port. Since you don't want to offer plaintext IMAP, you're correct that there isn't much difference between the two.
Your users will most likely determine which method(s) you can use. Start out with one, and then add the other if anyone has trouble. Both are perfectly secure as long as you don't allow plaintext authentication (disable_plaintext_auth = yes) [1].
IMAPS on port 993 has better client support in my experience, but occasionally, port 993 will be blocked e.g. at universities where the admins have never heard of it.
Postfix is a different story. You have to support plaintext SMTP if you want to receive mail. Encryption on port 25 is therefore, at best, optional. This makes TLS via STARTTLS the obvious choice.
Do your users submit mail to port 25 (SMTP), or 587 (submission)? If the latter, then the Postfix configuration is particularly simple. The configuration below will set a default where TLS is optional for all incoming messages. Then, in master.cf, that default is overwritten to force TLS on port 587.
main.cf
smtpd_tls_security_level = may smtpd_tls_cert_file = <your cert> smtpd_tls_key_file = <your key>
master.cf
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
[1] Caveat: When you set disable_plaintext_auth = yes, and a client connects on port 143, Dovecot basically says "DON'T SEND YOUR PASSWORD IN PLAIN TEXT BECAUSE IT WON'T WORK." There is at least one client -- I don't remember which -- that ignores this and sends the password *in plain text* anyway. Someone on this list can probably identify the client. If any of your users insist on using it, stick with IMAPS on port 993.