pop 110/995, imap 143/993 ?
just setting a new Dovecot server to migrate from older system, but, I have a general question:
- I've set the server with self issued cert, and both pop/imap StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming terminology)
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or?
my current understanding is that some (MS?) clients might not support StartTLS/143 ? so best to offer both ?
I think? some public WiFi block 993/995 but allow 143/110, hence, another advantage for using 143/110
thanks for any advice,
V
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 21 Aug 2017, voytek@sbt.net.au wrote:
- I've set the server with self issued cert, and both pop/imap StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming terminology)
That's fine.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWZp0pnz1H7kL/d9rAQIHfgf+Jj+y5Tm2h+13bI3qdsMTo5Yih6fCJlUl pK5Gunj1o4TNKVDQFq4xa0GUTs5G9+uWyfCiOyIwe8GH6auMxmOKqGTScwjdjRxg FVbmzxrLEB1XLoSCVpnuyoCIDZHTBJNdLBWvABBSnSDGV9ZusDvb0/5TzaEoFhlE kLrSj+wGiBMGlAaYoVAECy0oIakzCvV6InSk/c3A09RlwKUxypCdUqYXM01Eba1j EavikirKdL1YYMe7tXhsuomiA4gk9wSpDTzHhQgvZyTrESsrnFgm2rI+6Hnir8Iz cT8C9evkLQVYj8gNqXiTYadj2rutG5G9lotvMlQLcnobpFynvRf7hw== =T5a0 -----END PGP SIGNATURE-----
On 21/08/17 00:28, voytek@sbt.net.au wrote:
just setting a new Dovecot server to migrate from older system, but, I have a general question:
- I've set the server with self issued cert, and both pop/imap StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming terminology)
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or?
I believe the recommended way for years has been to use the encrypted/SSL versions of both IMAP and POP3 - so ports 993 and 995 respectively. Otherwise you are effectively sending data in plain text over the internet.
my current understanding is that some (MS?) clients might not support StartTLS/143 ? so best to offer both ?
As far as I know, all popular email clients of the last 15 years, that I can think of, support POP3 on 995 and IMAP on 993 with SSL.
I think? some public WiFi block 993/995 but allow 143/110, hence, another advantage for using 143/110
I never heard about his, Maybe others have. I guess this would be even more of a reason to use the encrypted versions of the protocols.
On 08/21/2017 07:28 AM, voytek@sbt.net.au wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? There is no concrete answer. There are various opinions and feelings about this. The opinion againt 993/995 is that these are not standard ports, and there is no need to allocate new ports for the secure version of each protocol since we can use STARTTLS.
The problem with 110/143 is that security depends on settings on both ends: The client must be configured to negotiate STARTTLS as mandatory, and refuse to talk to the server when that doesn't work. The server must also refuse to talk to clients without STARTTLS. Since some mail clients support "opportunistic" STARTTLS, that is, use port 143 and use STARTTLS *if / when* available, some people feel there are too many subtleties involved, and ports 993/995 just make all this go away.
Requiring STARTTLS on the server side doesn't prevent a man-in-the-middle attack. The client must be configured to insist on negotiating STARTTLS with a server with a verified certificate.
my current understanding is that some (MS?) clients might not support StartTLS/143 ? so best to offer both ? Their newest clients do support STARTTLS. I don't remember exactly but maybe Outlook 2003 or so didn't support it. I think? some public WiFi block 993/995 but allow 143/110, hence, another advantage for using 143/110
Never heard of this either.
On 21/08/17 10:37, Gedalya wrote:
On 08/21/2017 07:28 AM, voytek@sbt.net.au wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? There is no concrete answer. There are various opinions and feelings about this. The opinion againt 993/995 is that these are not standard ports,
Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)
On 08/21/2017 06:04 PM, Sebastian Arcus wrote:
On 21/08/17 10:37, Gedalya wrote:
On 08/21/2017 07:28 AM, voytek@sbt.net.au wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? There is no concrete answer. There are various opinions and feelings about this. The opinion againt 993/995 is that these are not standard ports,
Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)
What kind of evidence would support a negative? I don't understand.
Evidence could demonstrate that something is indeed a standard. "Standard" and common practice are not the same thing. A "Standrd" is a document that describes what practice ought to look like. C has a (series of) standard(s), Perl 5 is not exactly standardized. It's just implemented and documented.
Either way, at this point these ports are indeed listed here:
https://www.iana.org/assignments/service-names-port-numbers/service-names-po...
So perhaps it can be said that those still arguing against it on the basis of it being "non-standrd" are still arguing against officially assigning these port numbers, because the old ports are perfectly good, even after the assignment has already been listed by IANA.
On Mon, 21 Aug 2017 11:04:40 +0100, Sebastian Arcus stated:
On 21/08/17 10:37, Gedalya wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or?
There is no concrete answer. There are various opinions and feelings aboutOn 08/21/2017 07:28 AM, voytek@sbt.net.au wrote:
this. The opinion againt 993/995 is that these are not standard ports,Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)
One of the places I have found extremely useful over the years is: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
It lists the port number, TCP & UDP, description and IANA Status. It also lists multiple use ports; such as 465.
Port TCP UDP Description IANA status
143 TCP Assigned Internet Message Access Protocol (IMAP) management Official
465 TCP URL Rendezvous Directory for SSM (Cisco protocol) Official 465 TCP Authenticated SMTP over TLS/SSL (SMTPS) Unofficial
993 TCP Assigned Internet Message Access Protocol over TLS/SSL (IMAPS) Official 995 TCP UDP Post Office Protocol 3 over TLS/SSL (POP3S) Official
-- Jerry
On Mon, 21 Aug 2017, Sebastian Arcus wrote:
On 21/08/17 10:37, Gedalya wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? There is no concrete answer. There are various opinions and feelings about
On 08/21/2017 07:28 AM, voytek@sbt.net.au wrote: this. The opinion againt 993/995 is that these are not standard ports,
Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)
Hello,
IMHO the "not standard ports" is meant as "old, useless ports now".
AFAIK at the begining there were only plain-text ports 80, 389, 110, 143, 25, 5222 (XMPP) etc without any encryption. Then SSL was implemented on ports 443, 636, 993, 995, 465, 5223 etc. Later, the STARTTLS feature has been introduced and servers and clients has implemented STARTTLS sometime. Since STARTTLS is used in most clients and servers nowdays, there is no need for SSL port. There is even RFC 2817 for STARTTLS in HTTP. So IMHO all SSL ports are meant to be old, useless now, some Jabber clients describe SSL encryption on port 5223 as "legacy".
Pros of STARTTLS is, that you CAN start encryption, if you need it. E.g. for SMTP or LDAP you can use plain text connections without expensive encryption for normal mail transfer (MX-MX) or for searching (LDAP), and client can start encryption, if needed for username+password or cert authentication (SMTP submit or LDAP edit with auth).
Of cource for IMAP+POP you have to authenticate everytime, i.e. you need encryption everytime.
Pros of SSL port is, you now everytime exactly, that your connection is encrypted, so your password is never sent over plain-text channel.
Some servers (services) can be configured to fail correct login, if the login is made through plain-text channel. This is good, because MITM cannot instantly see, if the password is correct or not, but the password goes already plain-text and MITM can test it on secure connection later.
Regards,
Robert Wolf.
On 21/08/17 13:39, Robert Wolf wrote:
On Mon, 21 Aug 2017, Sebastian Arcus wrote:
On 21/08/17 10:37, Gedalya wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? There is no concrete answer. There are various opinions and feelings about
On 08/21/2017 07:28 AM, voytek@sbt.net.au wrote: this. The opinion againt 993/995 is that these are not standard ports,
Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)
Hello,
IMHO the "not standard ports" is meant as "old, useless ports now".
So in short, ports 993/995 are IANA officially approved, and thus "standard". Further to this, they are in use by the vast majority of email providers, and as far as I can tell, there are no functional or security disadvantages to using SSL over 993/995 - instead of STARTTLS over 110/143.
On Mon, 21 Aug 2017, Sebastian Arcus wrote:
On 21/08/17 13:39, Robert Wolf wrote:
On Mon, 21 Aug 2017, Sebastian Arcus wrote:
On 21/08/17 10:37, Gedalya wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? There is no concrete answer. There are various opinions and feelings about
On 08/21/2017 07:28 AM, voytek@sbt.net.au wrote: this. The opinion againt 993/995 is that these are not standard ports,
Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)
Hello,
IMHO the "not standard ports" is meant as "old, useless ports now".
So in short, ports 993/995 are IANA officially approved, and thus "standard". Further to this, they are in use by the vast majority of email providers, and as far as I can tell, there are no functional or security disadvantages to using SSL over 993/995 - instead of STARTTLS over 110/143.
Hello Sebastian,
there are no functional disadvantages
*** As I have written, only if some protocol can be used in just plain-text mode, then the SSL ports generate additional encryption load. CPU is probably no problem today, but I have seen some slower SSL connection on higher latence network. I am not SSL profi, but it looks like there is some ACK in SSL after some "SSL packet" which makes slower connection on high latency network, because SSL must wait for packet ACK. In plain-text connection, TCP requires ACK too, but TCP can open big window and send many data at once and wait only for the last ACK.
there are no security disadvantages
*** Exactly, there is really no security disadvantage to use SSL ports, the encryption is same, resp. there is security advantage to use SSL ports to be sure that every communication is encrypted from start and client cannot send anything plaintext.
Regards,
Robert Wolf.
On 21/08/17 16:25, Robert Wolf wrote:
On Mon, 21 Aug 2017, Sebastian Arcus wrote:
On 21/08/17 13:39, Robert Wolf wrote:
On Mon, 21 Aug 2017, Sebastian Arcus wrote:
On 21/08/17 10:37, Gedalya wrote:
is there a 'preferred way'? should I tell users to use 143 over 993 ? or 993 over 143? or? There is no concrete answer. There are various opinions and feelings about
On 08/21/2017 07:28 AM, voytek@sbt.net.au wrote: this. The opinion againt 993/995 is that these are not standard ports,
Out of curiosity, is there a source for this? It's the first time I hear that 993/995 are not standard ports - and searching on the Internet, I can't find any evidence to back it up? Also, pretty much all email software has been using them for the past 20 years or so. It seems like a curiously high rate of adoption for a non-standard :-)
Hello,
IMHO the "not standard ports" is meant as "old, useless ports now".
So in short, ports 993/995 are IANA officially approved, and thus "standard". Further to this, they are in use by the vast majority of email providers, and as far as I can tell, there are no functional or security disadvantages to using SSL over 993/995 - instead of STARTTLS over 110/143.
Hello Sebastian,
there are no functional disadvantages
*** As I have written, only if some protocol can be used in just plain-text mode, then the SSL ports generate additional encryption load. CPU is probably no problem today, but I have seen some slower SSL connection on higher latence network. I am not SSL profi, but it looks like there is some ACK in SSL after some "SSL packet" which makes slower connection on high latency network, because SSL must wait for packet ACK. In plain-text connection, TCP requires ACK too, but TCP can open big window and send many data at once and wait only for the last ACK.
there are no security disadvantages
*** Exactly, there is really no security disadvantage to use SSL ports, the encryption is same, resp. there is security advantage to use SSL ports to be sure that every communication is encrypted from start and client cannot send anything plaintext.
Hi Rob - thank you for the clarification. It is interesting information.
Bottom line, a server operator's view can be a lot narrower than this, especially in the scenario where you serve the general public and do not control the clients. There is definitely no reason why you wouldn't want to serve ports 993/995. The MITM thing can be used to argue against serving ports 110/143, and some servers indeed do not offer those. But you'll always deal with people who would insist 110/143 is the "right" away. It's nice to provide more than option and you can expect many modern clients to default to requiring STARTTLS, and do proper certificate validation. On my own server I provide only 143, and I control all the clients. So you know my taste on the matter :)
participants (6)
-
Gedalya
-
Jerry
-
Robert Wolf
-
Sebastian Arcus
-
Steffen Kaiser
-
voytek@sbt.net.au