different TLS protocols on different ports
Michael A. Peters
mpeters at domblogger.net
Thu Nov 15 00:08:57 EET 2018
On 11/14/2018 01:46 PM, Joseph Tam wrote:
> On Wed, 14 Nov 2018, Aki Tuomi wrote:
>
>>> I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So
>>> I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to
>>> enable TLS1.2 and TLS1.3 only.
>>>
>>> Is this possible with dovecot-2.2.36 / how to setup this?
>>
>> Not possible I'm afraid.
>
> ("Not possible" = challenge!)
>
> Couldn't you run two different instances (with 2 separate run-time
> directories), each listening on a different port with their own SSL
> configuration? Or would it clash somewhere?
>
> If only a single running instance of dovecot is required, I guess you
> can run dovecot on the localhost interface, and use 2 stunnel proxies.
>
> Joseph Tam <jtam.home at gmail.com>
Honestly that violates the concept of KISS.
Given that TLS 1.2 is now a decade old, do you really need to still
allow clients not capable of TLS 1.0/1.1 ???
I still do but only allow cipher suites with Forward Secrecy.
I don't run huge mail server, but from quick look at my logs I don't
even see any clients connecting that aren't TLS 1.2 anymore.
Might be easier to just give a six month notice that clients running TLS
more than a decade old will no longer be supported.
More information about the dovecot
mailing list