Hello,
Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective?
I've noticed that I've got a dovecot listener on port 993, below is my doveconf -n output I don't have an imaps listener uncommented should I do so and set it's port to 0? Will that disable the 993 listener? Thanks. Dave.
# 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (bf8ef1c2) # OS: FreeBSD 12.1-RELEASE-p2 amd64 # Hostname: hostname.example.com auth_cache_size = 10 M auth_default_realm = example.com auth_mechanisms = plain login auth_realms = example.com dict { lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf } first_valid_gid = 2100 first_valid_uid = 2100 hostname = hostname.example.com imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep tb-lsub-flags imap_idle_notify_interval = 1 mins last_valid_gid = 2100 last_valid_uid = 2100 lda_hostnamebox_autocreate = yes lda_hostnamebox_autosubscribe = yes lda_original_recipient_header = X-Original-To listen = xxx.xxx.xxx.xxx lmtp_rcpt_check_quota = yes log_timestamp = "%Y-%m-%d %H:%M:%S " hostname_access_groups = vhostname hostname_fsync = never hostname_gid = vhostname hostname_home = /var/vhostname/hostnameboxes/%d/%n hostname_location = dbox:~/hostname hostname_plugins = acl fts fts_lucene mail_log notify quota trash virtual welcome zlib mail_crypt hostname_privileged_group = vhostname hostname_server_admin = hostnameto:postmaster@example.com hostname_uid = vhostname managesieve_notify_capability = hostnameto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment hostnamebox date index ihave duplicate mime foreverypart extracttext spamtest spamtestplus virustest editheader imapflags notify imapsieve vnd.dovecot.imapsieve namespace { location = sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public prefix = Public/ separator = / subscriptions = yes type = public } namespace { hidden = no list = yes location = hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = hostnamebox Drafts { auto = subscribe special_use = \Drafts } hostnamebox Sent { auto = subscribe special_use = \Sent } hostnamebox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } hostnamebox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = separator = / type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 fts = lucene fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_autoindex_exclude3 = \Spam fts_autoindex_max_recent_msgs = 80 fts_index_timeout = 90 fts_lucene = whitespace_chars=@. normalize no_snowball imapsieve_hostnamebox1_before = file:/var/vhostname/sieve/global/learn-spam.sieve imapsieve_hostnamebox1_causes = COPY imapsieve_hostnamebox1_name = Spam imapsieve_hostnamebox2_before = file:/var/vhostname/sieve/global/learn-ham.sieve imapsieve_hostnamebox2_causes = COPY imapsieve_hostnamebox2_from = Spam imapsieve_hostnamebox2_name = * last_login_dict = proxy::lastlogin last_login_key = # hidden, use -P to show it hostname_crypt_curve = prime256v1 hostname_crypt_global_private_key = # hidden, use -P to show it hostname_crypt_global_public_key = # hidden, use -P to show it hostname_crypt_save_version = 2 hostname_log_events = delete undelete expunge copy hostnamebox_delete hostnamebox_rename hostname_log_fields = uid box msgid size quota = count:User quota quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. quota_grace = 10%% quota_rule2 = Trash:ignore quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 hostnamebox is full quota_status_success = DUNNO quota_vsizes = true quota_warning = storage=100%% quota-exceeded 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=75%% quota-warning 75 %u sieve = file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve sieve_before = /var/vhostname/sieve/global/spam-global.sieve sieve_extensions = +notify +imapflags +spamtest +spamtestplus +virustest +editheader sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.environment sieve_max_redirects = 30 sieve_max_script_size = 1M sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_spamtest_max_header = X-Spamd-Result: default: [[:alnum:]]+ \[-?[[:digit:]]+\.[[:digit:]]+ / (-?[[:digit:]]+\.[[:digit:]]+)\] sieve_spamtest_status_header = X-Spamd-Result: default: [[:alnum:]]+ \[(-?[[:digit:]]+\.[[:digit:]]+) / -?[[:digit:]]+\.[[:digit:]]+\] sieve_spamtest_status_type = score sieve_user_log = /var/vhostname/sieve/sieve_error.log sieve_virustest_status_header = X-Virus-Scan: Found to be (.+)\. sieve_virustest_status_type = text sieve_virustest_text_value1 = clean sieve_virustest_text_value5 = infected trash = /usr/local/etc/dovecot/trash.conf welcome_script = welcome %n postmaster@%d welcome_wait = yes } postmaster_address = postmaster@example.com protocols = imap lmtp sieve sendhostname_path = /usr/local/sbin/sendhostname service auth-worker { user = vhostname } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vhostname mode = 0666 user = vhostname } } service dict { unix_listener dict { mode = 0600 user = vhostname } user = root } service imap-login { inet_listener imap { port = 143 } process_min_avail = 1 } service imap { executable = imap } service lmtp { executable = lmtp unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 172.16.21.3 port = 4190 } } service quota-status { client_limit = 1 executable = quota-status -p postfix unix_listener /var/spool/postfix/private/dovecot-quota { group = postfix mode = 0660 user = postfix } } service quota-warning { executable = script /usr/local/etc/dovecot/quota-warning.sh unix_listener quota-warning { group = vhostname mode = 0660 user = vhostname } user = vhostname } service stats { unix_listener stats-reader { group = vhostname mode = 0660 user = vhostname } unix_listener stats-writer { group = vhostname mode = 0660 user = vhostname } } service welcome { executable = script /usr/local/etc/dovecot/welcome.sh unix_listener welcome { user = vhostname } user = vhostname } ssl = required ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_curve_list = P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_ticket ssl_prefer_server_ciphers = yes userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { hostname_fsync = optimized hostname_plugins = acl fts fts_lucene hostname_log notify quota trash virtual welcome zlib hostname_crypt sieve } protocol lda { hostname_fsync = optimized hostname_plugins = acl fts fts_lucene hostname_log notify quota trash virtual welcome zlib hostname_crypt sieve } protocol imap { hostname_max_userip_connections = 20 hostname_plugins = acl fts fts_lucene hostname_log notify quota trash virtual welcome zlib hostname_crypt imap_acl imap_quota imap_sieve imap_zlib last_login quota welcome } protocol sieve { info_log_path = /var/log/dovecot/dovecot-sieve.log log_path = /var/log/dovecot/dovecot-sieve-errors.log }
Maybe this thread can help you with your first question : https://dovecot.org/pipermail/dovecot/2014-August/097488.html
On 13.4.2020. 20:52, David Mehler wrote:
Hello,
Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective?
I've noticed that I've got a dovecot listener on port 993, below is my doveconf -n output I don't have an imaps listener uncommented should I do so and set it's port to 0? Will that disable the 993 listener? Thanks. Dave.
# 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (bf8ef1c2) # OS: FreeBSD 12.1-RELEASE-p2 amd64 # Hostname: hostname.example.com auth_cache_size = 10 M auth_default_realm = example.com auth_mechanisms = plain login auth_realms = example.com dict { lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf } first_valid_gid = 2100 first_valid_uid = 2100 hostname = hostname.example.com imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep tb-lsub-flags imap_idle_notify_interval = 1 mins last_valid_gid = 2100 last_valid_uid = 2100 lda_hostnamebox_autocreate = yes lda_hostnamebox_autosubscribe = yes lda_original_recipient_header = X-Original-To listen = xxx.xxx.xxx.xxx lmtp_rcpt_check_quota = yes log_timestamp = "%Y-%m-%d %H:%M:%S " hostname_access_groups = vhostname hostname_fsync = never hostname_gid = vhostname hostname_home = /var/vhostname/hostnameboxes/%d/%n hostname_location = dbox:~/hostname hostname_plugins = acl fts fts_lucene mail_log notify quota trash virtual welcome zlib mail_crypt hostname_privileged_group = vhostname hostname_server_admin = hostnameto:postmaster@example.com hostname_uid = vhostname managesieve_notify_capability = hostnameto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment hostnamebox date index ihave duplicate mime foreverypart extracttext spamtest spamtestplus virustest editheader imapflags notify imapsieve vnd.dovecot.imapsieve namespace { location = sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public prefix = Public/ separator = / subscriptions = yes type = public } namespace { hidden = no list = yes location = hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = hostnamebox Drafts { auto = subscribe special_use = \Drafts } hostnamebox Sent { auto = subscribe special_use = \Sent } hostnamebox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } hostnamebox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = separator = / type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 fts = lucene fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_autoindex_exclude3 = \Spam fts_autoindex_max_recent_msgs = 80 fts_index_timeout = 90 fts_lucene = whitespace_chars=@. normalize no_snowball imapsieve_hostnamebox1_before = file:/var/vhostname/sieve/global/learn-spam.sieve imapsieve_hostnamebox1_causes = COPY imapsieve_hostnamebox1_name = Spam imapsieve_hostnamebox2_before = file:/var/vhostname/sieve/global/learn-ham.sieve imapsieve_hostnamebox2_causes = COPY imapsieve_hostnamebox2_from = Spam imapsieve_hostnamebox2_name = * last_login_dict = proxy::lastlogin last_login_key = # hidden, use -P to show it hostname_crypt_curve = prime256v1 hostname_crypt_global_private_key = # hidden, use -P to show it hostname_crypt_global_public_key = # hidden, use -P to show it hostname_crypt_save_version = 2 hostname_log_events = delete undelete expunge copy hostnamebox_delete hostnamebox_rename hostname_log_fields = uid box msgid size quota = count:User quota quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. quota_grace = 10%% quota_rule2 = Trash:ignore quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 hostnamebox is full quota_status_success = DUNNO quota_vsizes = true quota_warning = storage=100%% quota-exceeded 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=75%% quota-warning 75 %u sieve = file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve sieve_before = /var/vhostname/sieve/global/spam-global.sieve sieve_extensions = +notify +imapflags +spamtest +spamtestplus +virustest +editheader sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.environment sieve_max_redirects = 30 sieve_max_script_size = 1M sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_spamtest_max_header = X-Spamd-Result: default: [[:alnum:]]+ \[-?[[:digit:]]+\.[[:digit:]]+ / (-?[[:digit:]]+\.[[:digit:]]+)\] sieve_spamtest_status_header = X-Spamd-Result: default: [[:alnum:]]+ \[(-?[[:digit:]]+\.[[:digit:]]+) / -?[[:digit:]]+\.[[:digit:]]+\] sieve_spamtest_status_type = score sieve_user_log = /var/vhostname/sieve/sieve_error.log sieve_virustest_status_header = X-Virus-Scan: Found to be (.+)\. sieve_virustest_status_type = text sieve_virustest_text_value1 = clean sieve_virustest_text_value5 = infected trash = /usr/local/etc/dovecot/trash.conf welcome_script = welcome %n postmaster@%d welcome_wait = yes } postmaster_address = postmaster@example.com protocols = imap lmtp sieve sendhostname_path = /usr/local/sbin/sendhostname service auth-worker { user = vhostname } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vhostname mode = 0666 user = vhostname } } service dict { unix_listener dict { mode = 0600 user = vhostname } user = root } service imap-login { inet_listener imap { port = 143 } process_min_avail = 1 } service imap { executable = imap } service lmtp { executable = lmtp unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 172.16.21.3 port = 4190 } } service quota-status { client_limit = 1 executable = quota-status -p postfix unix_listener /var/spool/postfix/private/dovecot-quota { group = postfix mode = 0660 user = postfix } } service quota-warning { executable = script /usr/local/etc/dovecot/quota-warning.sh unix_listener quota-warning { group = vhostname mode = 0660 user = vhostname } user = vhostname } service stats { unix_listener stats-reader { group = vhostname mode = 0660 user = vhostname } unix_listener stats-writer { group = vhostname mode = 0660 user = vhostname } } service welcome { executable = script /usr/local/etc/dovecot/welcome.sh unix_listener welcome { user = vhostname } user = vhostname } ssl = required ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_curve_list = P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_ticket ssl_prefer_server_ciphers = yes userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { hostname_fsync = optimized hostname_plugins = acl fts fts_lucene hostname_log notify quota trash virtual welcome zlib hostname_crypt sieve } protocol lda { hostname_fsync = optimized hostname_plugins = acl fts fts_lucene hostname_log notify quota trash virtual welcome zlib hostname_crypt sieve } protocol imap { hostname_max_userip_connections = 20 hostname_plugins = acl fts fts_lucene hostname_log notify quota trash virtual welcome zlib hostname_crypt imap_acl imap_quota imap_sieve imap_zlib last_login quota welcome } protocol sieve { info_log_path = /var/log/dovecot/dovecot-sieve.log log_path = /var/log/dovecot/dovecot-sieve-errors.log }
On Tue, 14 Apr 2020, Ivo wrote:
Maybe this thread can help you with your first question : https://dovecot.org/pipermail/dovecot/2014-August/097488.html
I was more or less going to say the same thing. Further to this, it's more important to make sure your clients enforce SSL/STARTTLS use by disabling auto-discovery, and if you're ultra-conservative, certificate pinning.
Joseph Tam <jtam.home@gmail.com>
- David Mehler:
Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective?
On the server side, it makes little difference. STARTTLS just means a number of extra bytes are exchanged while an encrypted connection is being established. If you want to support a wide range of clients, expose both ports.
-Ralph
Am 13.04.20 um 20:52 schrieb David Mehler:
Hello,
Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective?
implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3
Andreas
Le 14 avr. 2020 à 18:57, A. Schulze <sca@andreasschulze.de> a écrit :
Am 13.04.20 um 20:52 schrieb David Mehler:
Hello,
Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective?
implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3
One rational for this is to make sure broken clients don’t send clear text credential on port 143, even if STARTTLS is required.
So from a security perspective, you can consider TLS on port 943 a better solution.
- Jean-Daniel:
One rational for this is to make sure broken clients don’t send clear text credential on port 143, even if STARTTLS is required.
If clients are broken, they can send clear text credentials to any port and a network sniffer could record the content. Heck, one can do stupid things with "netcat" if one really wants to.
The decision to allow STARTTLS or not depends on the clients that need to connect. As long as the protocol is followed, the difference in terms of security is negligible.
-Ralph
participants (6)
-
A. Schulze
-
David Mehler
-
Ivo
-
Jean-Daniel
-
Joseph Tam
-
Ralph Seichter