[Dovecot] SSL with startssl.com certificates
Dan Langille
dan at langille.org
Mon Sep 16 18:00:18 EEST 2013
On Sep 16, 2013, at 10:56 AM, Reindl Harald wrote:
>
>
> Am 16.09.2013 16:48, schrieb Dan Langille:
>> On Sep 16, 2013, at 10:21 AM, Reindl Harald wrote:
>>
>>> Am 16.09.2013 16:10, schrieb Dan Langille:
>>>>> Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs
>>>>> has really be deprecated everywhere for some time now)
>>>>
>>>> For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went
>>>> to my iPhone and turned off SSL for this mail account.
>>>>
>>>> That configuration works for my iPhone.
>>>>
>>>> Looking via tcpdump, I can see that emails are indeed being downloaded in clear text
>>>
>>> you need to understand the difference between IMAPS/POP3S on the dedicated
>>> 9xx ports versus STARTLS on 143/110
>>
>> I believe I do understand.
>>
>>> http://en.wikipedia.org/wiki/STARTTLS
>>
>> Yes, that's what I those STARTTLS was.
>>
>>> if you turn off SSL it is turned off
>>> on sane clients like thunderbird you can switch between cleartext/STARTTLS and SSL
>>
>> So far, with all we've tried, the only secure option appears to be self signed certificates
>
> having like here since 2009 a Thawte certificate for SMTP/POP3/IMAP/HTTPS
> without any issue is the better option because it is accepted by *any*
> client and not *that* expensive
>
> dealing with self-signed certificates is *plain wrong* because you educate
> your users happily confirm SSL warnings in their clients and having
> the final result of this in mind it's better not offer SSL at all
When I am setting up servers for others to use, I agree. In this case. I am the only user.
--
Dan Langille - http://langille.org
More information about the dovecot
mailing list