different TLS protocols on different ports

Michael A. Peters mpeters at domblogger.net
Thu Nov 15 00:08:57 EET 2018

On 11/14/2018 01:46 PM, Joseph Tam wrote:
> On Wed, 14 Nov 2018, Aki Tuomi wrote:
>>> I'm providing IMAP+Starttls on port 143 for users with legacy MUA.  So
>>> I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to
>>> enable TLS1.2 and TLS1.3 only.
>>> Is this possible with dovecot-2.2.36 / how to setup this?
>> Not possible I'm afraid.
> ("Not possible" = challenge!)
> Couldn't you run two different instances (with 2 separate run-time
> directories), each listening on a different port with their own SSL
> configuration?  Or would it clash somewhere?
> If only a single running instance of dovecot is required, I guess you
> can run dovecot on the localhost interface, and use 2 stunnel proxies.
> Joseph Tam <jtam.home at gmail.com>

Honestly that violates the concept of KISS.

Given that TLS 1.2 is now a decade old, do you really need to still 
allow clients not capable of TLS 1.0/1.1 ???

I still do but only allow cipher suites with Forward Secrecy.

I don't run huge mail server, but from quick look at my logs I don't 
even see any clients connecting that aren't TLS 1.2 anymore.

Might be easier to just give a six month notice that clients running TLS 
more than a decade old will no longer be supported.

More information about the dovecot mailing list