[Dovecot] SSL / TLS

Marko Weber | Salondigital.de marko.weber at salondigital.de
Sun Jun 28 10:59:08 EEST 2009 


Michael Orlitzky schrieb:
> Timo Sirainen wrote:
>> On Fri, 2009-06-26 at 23:39 +0400, Proskurin Kirill wrote:
>>> SSL just binds to special port(like 993 in IMAP by default).
>>
>> No, SSL is a protocol, just like TLS. It doesn't bind to any ports.
>> http://wiki.dovecot.org/SSL
>>
>
> To illustrate, both SSL and TLS as implemented in Dovecot utilize "SSL 
> certificates."
>
> A typical "TLS" session will work as follows:
>
> 1  The client connects to the IMAP service on port 143, unencrypted.
> 2  The server announces that it speaks TLS.
> 3  The client says "Ok, let's talk encrypted."
> 4  Magic occurs, and the session becomes encrypted. This step is where
>    your "SSL" certificate is used.
> 5  The rest of the session is encrypted.
>
> /Usually/, when people refer to SSL as opposed to TLS, they mean IMAPS 
> or POPS. These differ in that there's no "Hey, I speak TLS" step. It 
> is assumed that the conversation will begin according to some secure 
> protocol, kind of like when you connect to a web server on port 443.
>
> 1  The client connects to IMAPS on port 993, and performs the secure
>    handshake. Your "SSL" certificate is used in here somewhere.
> 2  Once the handshake has completed, the rest of the session is secure.
>
> When implementing IMAPS/POPS you will usually use a different port, 
> because if you tried to talk plaintext to the server, it would appear 
> to be speaking gibberish (whatever secure protocol is being used).
>
> With TLS enabled on a normal IMAP port, the switch from plaintext to 
> encrypted is optional. Although, it's usually a good idea to force 
> TLS, too.
>
> Much of the confusion comes from the fact that you can use either 
> protocol, TLSv1 or SSLv3 after the "Hey I speak TLS" step. Likewise, 
> you can use TLSv1 with IMAPS or POPS, though it's use will be implied 
> and there will be no "Hey, I speak TLS" step. There's really no 
> agreement amongst mail clients as to the meaning of "Use SSL" and "Use 
> TLS."
>
> You may find it easiest to concentrate on the one distinction: does 
> the session begin encrypted, or does it switch from plaintext to 
> encrypted at some point? Once you've answered that, either of the 
> SSLv3 or TLSv1 protocols can be used, and they will both use your 
> "SSL" certificate.
>
> Ultimately, you may wind up using both, depending on your user base. 
> Many versions of Outlook are screwy with regard to one or both of 
> these methods.
>
 From Outllok  Version 2007 u can choose between SSL / TLS in Settings 
of the mailaccount. In Outlook 2003 we experienced the only choosable 
SSL can also work
with TLS.
BUT, we found out, Outlook 2000 & 2002 cant work with any of our 
"forced" TLS Mailservers.
Also Microsofts ENTOURAGE or whatever named Client cant work with TLS 
and some "Mail" Clients from OS X, but latest do.
hope that helps

marko
-- 


*Marko Weber* | Administration

*SALON DIGITAL* Media GmbH
Rothenbaumchaussee 19a
20148 Hamburg

T. (040) 429 48 68 - 23
F. (040) 429 48 68 - 20

marko.weber at salondigital.de <mailto:marko.weber at salondigital.de>
www.salondigital.de <http://www.salondigital.de>

--
Geschäftsführung: Stephan Michalik, Ekkehart Opitz
Registergericht: Amtsgericht Hamburg, NR: HRB 78111

NOTE: This communication is confidential and is intended for the use of 
the individual or entity to which it is directed. It may contain 
information that is privileged and exempt from disclosure under 
applicable law. If you are not the intended recipient please notify us 
immediately. You should not copy it or disclose its contents to any 
other person.

More information about the dovecot mailing list