On Tue, 14 May 2013 12:39:34 -0500 /dev/rob0 rob0@gmx.co.uk wrote:
On Sun, May 12, 2013 at 05:40:10AM -0700, Professa Dementia wrote:
On 5/12/2013 4:17 AM, Steinar Bang wrote:
I prefer not to use clear text passwords, even over an encrypted connection.
Why? Enforce the encrypted link by not allowing unencrypted connections. The simplest is iptables to block ports 110 and 143, while allowing 993 and 995.
I don't understand this advice. Why would someone who is apparently interested in heightened transport security restrict himself to the older generation SSL v.2, which was long ago superceded by TLS v.1?
http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0 http://wiki2.dovecot.org/SSL
Quoting from the latter page:
"Some admins want to require SSL/TLS, but don't realize that this is also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes and ssl=required settings)."
SSL vs STARTTLS in this context has nothing to do with SSL/TLS versions (and available ciphers).
The thing is that SSL and STARTTLS in this context represent different mechanisms by which you can initiate an SSL/TLS handshake. The "SSL method" means you connect to port 993 and start a handshake immediately (similar to HTTPS).
The "STARTTLS method" means you're connecting through port 143, using plain-text communications at first, until you send a STARTTLS command to server. When a STARTTLS has been issued, both client and server proceed with an SSL/TLS handshake the same way as if the client had connected to port 993.
It's unfortunately poor selection of terminology, but everyone is using it, therefore introducing a bit of confusion with people that are into PKI that much :)
In effect, in both cases (if the software is built and configured correctly) you'll be using TLSv1.0 or higher.
The thing is that if you connect to port 993, and Dovecot is configured to use SSL there straight away, if the client starts sending IMAP commands in plain-text, the server will cut connection due to invalid SSL/TLS handshake.
When using plain-text port 143, the client may attempt to send out username/password even though the server requires TLS (well, the client shouldn't do this, since server should signal the client what are its capabilities, but you never know how bad the client implementation is).
I hope this description helps a bit :)
Best regards
P.S. I think there's even been one discussion regarding this relatively recently on Dovecot mailing lists.
-- Branko Majic Jabber: branko@majic.rs Please use only Free formats when sending attachments to me.
Бранко Мајић Џабер: branko@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима.