[Dovecot] SSL / TLS

Michael Orlitzky michael at orlitzky.com
Sat Jun 27 20:39:59 EEST 2009 

Carlos Williams wrote:
> On Fri, Jun 26, 2009 at 5:46 PM, Michael Orlitzky<michael at orlitzky.com> wrote:
>> A typical "TLS" session will work as follows:
>>
>> 1  The client connects to the IMAP service on port 143, unencrypted.
>> 2  The server announces that it speaks TLS.
>> 3  The client says "Ok, let's talk encrypted."
>> 4  Magic occurs, and the session becomes encrypted. This step is where
>>   your "SSL" certificate is used.
>> 5  The rest of the session is encrypted.
> 
> Thats a great and informative breakdown. I guess I just don't see a
> benefit of using either over another.
> It would appear that using SSL where the session is assumed before
> established to be encrypted rather
> than switching to encrypted just saves time. They both appear to do
> the same thing. Obviously from what
> I read, TLS is newer than SSL but sometimes thats not always a good
> thing. I just don't know in this case.
> Do you recommend I do one over the other? I don't really have a
> requirement here at all yet so that being
> said, I would rather someone who has better understand of this tell me
> what they would do for a simple
> Postfix / Dovecot install on a Linux server.

The benefit of using TLS via STARTTLS (Hey, I speak TLS...) is that you
can offer both encrypted and plaintext IMAP on the same port. Since you
don't want to offer plaintext IMAP, you're correct that there isn't much
difference between the two.

Your users will most likely determine which method(s) you can use. Start
out with one, and then add the other if anyone has trouble. Both are
perfectly secure as long as you don't allow plaintext authentication
(disable_plaintext_auth = yes) [1].

IMAPS on port 993 has better client support in my experience, but
occasionally, port 993 will be blocked e.g. at universities where the
admins have never heard of it.

Postfix is a different story. You have to support plaintext SMTP if you
want to receive mail. Encryption on port 25 is therefore, at best,
optional. This makes TLS via STARTTLS the obvious choice.

Do your users submit mail to port 25 (SMTP), or 587 (submission)? If the
latter, then the Postfix configuration is particularly simple. The 
configuration below will set a default where TLS is optional for all 
incoming messages. Then, in master.cf, that default is overwritten to 
force TLS on port 587.


main.cf
-------
smtpd_tls_security_level = may
smtpd_tls_cert_file = <your cert>
smtpd_tls_key_file = <your key>


master.cf
---------
submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


[1] Caveat: When you set disable_plaintext_auth = yes, and a client 
connects on port 143, Dovecot basically says "DON'T SEND YOUR PASSWORD 
IN PLAIN TEXT BECAUSE IT WON'T WORK." There is at least one client -- I 
don't remember which -- that ignores this and sends the password *in 
plain text* anyway. Someone on this list can probably identify the 
client. If any of your users insist on using it, stick with IMAPS on 
port 993.

More information about the dovecot mailing list