On 10-11-11 20:28, Dick Middleton wrote:
On 11/10/11 19:17, Carlos Mennens wrote:
I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 & 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client & server is to enable port 993 (IMAPs).
Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on the same port as plain.
The difference between SSH and TLS is that with SSH the encryption is set up before any application communication takes place. i.e all application packets are contained in the encrypted payload. With TLS the application starts communication and then the application sets up encryption of its payload.
You're contributing to the confusion.
SSL and TLS are practically the same, just another name for the same beast. The only difference is that SSL is the old name, and newer versions of the standard are labeled TLS. The term SSH is not in the scope of this question.
There are 2 ways of using SSL/TLS to encrypt sessions:
Setup a dedicated port where a SSL/TLS session can be setup before the actual data is transferred. This is what happens for IMAPS/993 and SMTPS/465.
Extend an existing protocol to enable SSL/TLS during an open session. This is called STARTTLS in several protocols, SMTP and IMAP being among them. And this is what happens on SMTP/25, Submission/587 and IMAP/143.
Note that although the second option is *named* STARTTLS, you probably could implement any server to *use* SSL 1.0 for the actual encryption (not recommended though).
The OP is offering STARTTLS for both services, which is good.
-- Regards, Tom