IMAP on 993/SSL or 143/STARTTLS?

Alan McGinlay alanm at sics.se
Mon Aug 18 09:33:37 UTC 2014


On 2014-08-18 05:03, Gedalya wrote:
> On 08/17/2014 10:45 PM, Alex wrote:
> Hi,
> 
> I have a postfix+dovecot-2.2.13 system and have configured it to 
> support
> IMAPS on 993 with SSL/TLS. I'm noticing with users using Thunderbird, 
> the
> autodetect defaults to IMAPS on 143 with STARTTLS.
> 
> Which is preferred? Which is more secure? Which is more common?
> 
> Why would someone choose one over the other?
> 
> Can I ask the same question about SMTP and submission? Why would one 
> choose
> 587 with STARTTLS versus 465 with SSL/TLS?
> 
> Thanks,
> Alex
> Implicit SSL ports were specified before STARTTLS was specified,
> therefore they are considered deprecated.
> There is no major difference between the two in terms of security or
> functionality. Ultimately they both just work. And ultimately you
> probably want to simply support both for maximum compatibility. (For
> older versions of Microsoft Outlook you _must_ support port 465
> because they didn't support STARTTLS, although I don't know how many
> of these are still out there.)
> Technically one can argue that STARTTLS is less secure because it
> starts off in plaintext (there even was an exploit recently against
> STARTTLS in nginx's SMTP proxy [1]) but that's anecdotal in my
> opinion, and the general opinion seems to be in favor of deprecating
> 993/995/465. A man-in-the-middle can very easily filter out STARTTLS
> from the conversation and this would be effective against
> _opportunistic_ STARTTLS, but the equivalent of port 993 is a client
> that requires STARTTLS and refuses to log in otherwise. From an
> admin's point of view, you would prefer to support just one port per
> service, and 110/143/25 are the "real" standard ports and people seem
> to lean towards that.
> 
> Whatever anyone says about this topic will start a flamewar.
> 
> 
> [1] http://nginx.org/en/CHANGES-1.6

No need to start a flamewar, I think everything you stated is 
completely correct. Support everything for maximum compatibility, in 
fact I seem to recall that iPhone ios mail application doesn't support 
STARTTLS for imap yet?

 From an admins point of view the less ports the better as you say but 
you will end up with more user confusion and more support requests so 
the benefit is negated.


More information about the dovecot mailing list