Outlook Express and STARTTLS

Robert Moskowitz rgm at htt-consult.com
Fri Nov 21 21:24:55 UTC 2014


On 11/21/2014 04:04 PM, Reindl Harald wrote:
>
> Am 21.11.2014 um 21:51 schrieb Robert Moskowitz:
>> On 11/21/2014 03:38 PM, Gedalya wrote:
>>> On 11/21/2014 03:32 PM, Robert Moskowitz wrote:
>>>>
>>>> On 11/21/2014 03:09 PM, Reindl Harald wrote:
>>>>>
>>>>> Am 21.11.2014 um 20:59 schrieb Robert Moskowitz:
>>>>>> I have one user that uses Outlook Express.   Not only do I not use
>>>>>> it, I
>>>>>> don't have any systems here that can easily use it.  I bit of a
>>>>>> challenge.
>>>>>>
>>>>>> I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP
>>>>>> connections.
>>>>>>
>>>>>> SO far a google search has not shown me how to configure this for a
>>>>>> user.  Anyone have a pointer to instructions so I can talk the 
>>>>>> person
>>>>>> through the changes?
>>>>>
>>>>> it can't as well as Outlook for POP3/IMAP
>>>>> you need 993/995 *without* STARTTLS - period
>>>>>
>>>>> and that's why a sane mailserver needs to support
>>>>> 110,143,993,995,587 *and* 465 to support every client, that won't
>>>>> change in the near future
>>>>>
>>>> I missed 465; got the rest.  Will have to look THAT one up. Thanks
>>>> for the tip, Harald.
>>> That's just implicit TLS for SMTP submission, instead of 587. OE needs
>>> that.
>>>
>> Which is way IETF has made a major pushback against every transport
>> wanting a second port number for TLS.  There just are not enough port
>> numbers for this purpose
>
> well, if we could tun back time 15 years ago many things would be 
> different - IMHO the decision to deprecate 465 in favour to STARTTLS 
> is plain wrong - it is much easier for a MITM to strip out the 
> STARTTLS in the still unencrypted connection (given a client falls 
> back to unencrypted in that cse) before the TLS handshake ever happens
>
It becomes yet another DOS attack, as the server would recognize this 
and drop the connection.  Or at least it should.  There are still so 
many MITM attacks it is sad.  We do them be intent in corporation 
proxies to meet their legal rights as to internal usage.

But, yes, we really need a way-back machine.  Lots of great ideas are 
just not holding up.




More information about the dovecot mailing list