On 4/22/22 02:20, Jean-Daniel Dupas wrote:
While it's true for SMTP, my experience is that IMAP clients prefer imaps in 993 instead of STARTTLS.
I have a server with only port 993 opened, and almost never had any issue with client configuration.
I have noticed the opposite. Every time I have configured a new mail client (which is most often but not always Thunderbird), it defaults to 143 with STARTTLS. Port 993 is available too, but my mail clients have never used it unless I explicitly configure it.
My dovecot is configured with "disable_plaintext_auth = yes" so only source IPs that are local to the machine (so the traffic never goes out on any network) are allowed to login without TLS. My webmail uses localhost so it is configured to use port 143 without encryption.
I know a lot of people are going to clamor that such traffic should be encrypted because it could be sniffed ... but if somebody has enough access such that they could sniff my backend services, the security battle is already lost, and they would be able to get any in-flight passwords even if the connection is encrypted.
Thanks, Shawn