different TLS protocols on different ports
Hello,
I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only.
Is this possible with dovecot-2.2.36 / how to setup this?
Thanks for suggestions, Andreas
Am 14.11.18 um 20:22 schrieb Aki Tuomi:
Not possible I'm afraid.
Hello Aki,
is it not possible in 2.2.36 or not possible at all?
I stumbled upon RFC 8314 *) and I found it a welcome option to enforce more modern protocols/ciphers. IMAPS/SUBMISSIONS aren't used widely (at least to my knowlege, many postmaster used to configure IMAP+SUBMISSION and STARTTLS) Switching Clients to complete new ports is a chance to separate and dry out legacy MUA's
I just tried this but that's no valid syntax tough:
service imap-login {
inet_listener imap {
port = 143
# using default protocols and ciphers...
}
inet_listener imaps {
port = 993
ssl_protocols = TLSv1.2 TLSv1.3
ssl_cipher_list = ...
}
}Postfix let me easily define different TLS protocols on different ports. For that it would be cool if dovecot could assist on such migrations, too.
Andreas
*) see https://tools.ietf.org/html/rfc8314 as well as the draft https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate TLSv1.1
On November 14, 2018 at 12:46 PM "A. Schulze" sca@andreasschulze.de wrote: < I stumbled upon RFC 8314 *) and I found it a welcome option to enforce more modern protocols/ciphers. IMAPS/SUBMISSIONS aren't used widely (at least to my knowlege, many postmaster used to configure IMAP+SUBMISSION and STARTTLS)
"IMAPS" has been used forever. Every installation I can think of supports 993.
Same with submission. 465/587 has been a standard port for awhile now.
In fact, these are the only ports someone like a Google will allow you to connect to. https://support.google.com/mail/answer/7126229?hl=en
Switching Clients to complete new ports is a chance to separate and dry out legacy MUA's
There is no switch to do. These ports are well-known and well used.
I just tried this but that's no valid syntax tough:
service imap-login { inet_listener imap { port = 143 # using default protocols and ciphers... } inet_listener imaps { port = 993 ssl_protocols = TLSv1.2 TLSv1.3 ssl_cipher_list = ... } }
Postfix let me easily define different TLS protocols on different ports. For that it would be cool if dovecot could assist on such migrations, too.
Andreas
*) see https://tools.ietf.org/html/rfc8314 as well as the draft https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate TLSv1.1
On Wed, 14 Nov 2018, Aki Tuomi wrote:
I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only.
Is this possible with dovecot-2.2.36 / how to setup this?
Not possible I'm afraid.
("Not possible" = challenge!)
Couldn't you run two different instances (with 2 separate run-time directories), each listening on a different port with their own SSL configuration? Or would it clash somewhere?
If only a single running instance of dovecot is required, I guess you can run dovecot on the localhost interface, and use 2 stunnel proxies.
Joseph Tam jtam.home@gmail.com
On 11/14/2018 01:46 PM, Joseph Tam wrote:
On Wed, 14 Nov 2018, Aki Tuomi wrote:
I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only.
Is this possible with dovecot-2.2.36 / how to setup this?
Not possible I'm afraid.
("Not possible" = challenge!)
Couldn't you run two different instances (with 2 separate run-time directories), each listening on a different port with their own SSL configuration? Or would it clash somewhere?
If only a single running instance of dovecot is required, I guess you can run dovecot on the localhost interface, and use 2 stunnel proxies.
Joseph Tam jtam.home@gmail.com
Honestly that violates the concept of KISS.
Given that TLS 1.2 is now a decade old, do you really need to still allow clients not capable of TLS 1.0/1.1 ???
I still do but only allow cipher suites with Forward Secrecy.
I don't run huge mail server, but from quick look at my logs I don't even see any clients connecting that aren't TLS 1.2 anymore.
Might be easier to just give a six month notice that clients running TLS more than a decade old will no longer be supported.
On 11/14/2018 4:08 PM, Michael A. Peters wrote:
Honestly that violates the concept of KISS.
Given that TLS 1.2 is now a decade old, do you really need to still allow clients not capable of TLS 1.0/1.1 ???
I still do but only allow cipher suites with Forward Secrecy.
I don't run huge mail server, but from quick look at my logs I don't even see any clients connecting that aren't TLS 1.2 anymore.
Might be easier to just give a six month notice that clients running TLS more than a decade old will no longer be supported.
+1
Strongly agree with this. If you have enough users that you have use both hands to count them, running different protocols on different ports is a sure-fire way to annoy your users and create problems for support staff (eg. you). Either allow the antique protocol everywhere, or give notice and cut it off.
-- Noel Jones
Michael A. Peters mpeters@domblogger.net wrote:
Couldn't you run two different instances (with 2 separate run-time directories), each listening on a different port with their own SSL configuration??? Or would it clash somewhere?
If only a single running instance of dovecot is required, I guess you can run dovecot on the localhost interface, and use 2 stunnel proxies.
Honestly that violates the concept of KISS.
(Just to be clear, I'm not the OP.)
I agree -- if the OP can convince the user change mail readers, that would be better all around. However, some users will only let go of their mail reader when you pry it from their dead, cold fingers, and you'll be applying KISS in the social context. Doing a technical workaround is sometimes simpler than picking a fight with them. This has to be balanced with the security requirements.
Noel noeldude@gmail.com writes:
Strongly agree with this.?? If you have enough users that you have use both hands to count them, running different protocols on different ports is a sure-fire way to annoy your users and create problems for support staff (eg. you).?? Either allow the antique protocol everywhere, or give notice and cut it off.??
I'm not sure why users would be annoyed -- this is more or less transparent to them. If, however, you remove a TLS flavour and thereby break a previously working mail reader, you'll get the the definition of "annoyed" demonstrated when you explain to the user why you won't allow their beloved FoobyBletch5000 mail reader to work.
Joseph Tam jtam.home@gmail.com
participants (6)
-
A. Schulze
-
Aki Tuomi
-
Joseph Tam
-
Michael A. Peters
-
Michael Slusarz
-
Noel