Hi,
I have activated only imaps and managesieve.
As sieve is running on a different port/protocol: Can I make sure that sieve can ONLY be used with SSL/TLS?
As the credentials are transmitted I only offer services with SSL (IMAPS, SMTP over SSL, ...). For sieve I am not sure about this.
If there is the possibility that user's credentials are transmitted in plain text I would block the port from the firewall, else I would offer my users the feature to change their rules with their own client (e.g. Thunderbird sieve).
Regards, Luke
On Thu, 2010-09-23 at 12:16 +0200, Lukas Haase wrote:
I have activated only imaps and managesieve.
As sieve is running on a different port/protocol: Can I make sure that sieve can ONLY be used with SSL/TLS?
Hi,
Am 23.09.2010 14:58, schrieb Timo Sirainen:
On Thu, 2010-09-23 at 12:16 +0200, Lukas Haase wrote:
I have activated only imaps and managesieve.
As sieve is running on a different port/protocol: Can I make sure that sieve can ONLY be used with SSL/TLS?
Thank you.
First, IMAP and SMTP ports are completely blocked by the corporate firewall (it is corporate policy to not allow IMAP and SMTP - I can not do anything about this).
Second:
[...] This could be because it makes it easier to ensure that no information is leaked, because SSL/TLS handshake happens immediately. Some clients unfortunately try to do plaintext authentication without STARTTLS, even when IMAP server has told the client that it won't work [...]
This is my personal reason for preferring only IMAPS (and do not even offer IMAP).
So back to sieve: If I set disable_plaintext_auth=yes and ssl=required then nothing should change for my IMAPS port because it is TLS per definition. And for managesieve it means that it should be protected the same way IMAP with STARTTLS would be.
So a client would connect to port 2000 and LOGIN would not be advertised as long as STARTTLS is not issed. Correct?
Regards, Luke
On Thu, 2010-09-23 at 15:17 +0200, Lukas Haase wrote:
So back to sieve: If I set disable_plaintext_auth=yes and ssl=required then nothing should change for my IMAPS port because it is TLS per definition. And for managesieve it means that it should be protected the same way IMAP with STARTTLS would be.
So a client would connect to port 2000 and LOGIN would not be advertised as long as STARTTLS is not issed. Correct?
Correct (although it's usually PLAIN, not LOGIN).
participants (2)
-
Lukas Haase
-
Timo Sirainen