[Dovecot] SSL / TLS

Jean-Noel Chardron Jean-Noel.Chardron at dr15.cnrs.fr
Sat Jun 27 21:06:09 EEST 2009 

Carlos Williams a écrit :
> On Fri, Jun 26, 2009 at 5:46 PM, Michael Orlitzky<michael at orlitzky.com> wrote:
>   
>> A typical "TLS" session will work as follows:
>>
>> 1  The client connects to the IMAP service on port 143, unencrypted.
>> 2  The server announces that it speaks TLS.
>> 3  The client says "Ok, let's talk encrypted."
>> 4  Magic occurs, and the session becomes encrypted. This step is where
>>   your "SSL" certificate is used.
>> 5  The rest of the session is encrypted.
>>     
>
> Thats a great and informative breakdown. I guess I just don't see a
> benefit of using either over another.
> It would appear that using SSL where the session is assumed before
> established to be encrypted rather
> than switching to encrypted just saves time. They both appear to do
> the same thing. Obviously from what
> I read, TLS is newer than SSL but sometimes thats not always a good
> thing. I just don't know in this case.
> Do you recommend I do one over the other? I don't really have a
> requirement here at all yet so that being
> said, I would rather someone who has better understand of this tell me
> what they would do for a simple
> Postfix / Dovecot install on a Linux server.
>
> Any recommendations?
>   
ok I will explain how I see things about TLS and SSL and how I 
configured our mail server and our network in the university.
(because of the diffiiculty of the langage these is translate by google 
with some adjustement)
My view is a simplistic and paranoid: there is a local network where are 
the colleagues and the gentiles, and there are outdoor, internet, 
populated by villains, thieves, spies who do everything for you not 
steal only passwords but also your correspondence.
When colleagues leave the local network to go outside with their 
laptops. if they want to check their mail, we must tell them : configure 
your mail client (thunderbird) to use TLS.
In reality, these colleagues do not configure their client to use TLS, 
despite our advice, because on port imap (143) they can read mail in 
plain text without TLS. why do they bother to go to a panel that they 
did not understand, to check boxes mysterious while it works very well 
like that.
As against them if you delete the imap port (143) even with TLS and 
leave only the SSL port (993). Members are required to configure the 
client to use SSL. and you can safely send out the encrypted connection 
is required.
This is the protocol: the server announces its capability but can not 
force the use of TLS which is an initiative of the client.

So for our server configuration, I enabled port 143 (with TLS) and 993, 
port 143 is only accessible from the local network, and is filtered by a 
firewall for internet connections (iptable or ACL iptable cisco do this 
very well). In reality, it is obviously more complicated because we 
have  vlan and vpn.

jean-noël

More information about the dovecot mailing list