different TLS protocols on different ports

Joseph Tam jtam.home at gmail.com
Thu Nov 15 05:12:16 EET 2018

Michael A. Peters <mpeters at domblogger.net> wrote:

> > Couldn't you run two different instances (with 2 separate run-time
> > directories), each listening on a different port with their own SSL
> > configuration??? Or would it clash somewhere?
> > 
> > If only a single running instance of dovecot is required, I guess you
> > can run dovecot on the localhost interface, and use 2 stunnel proxies.
> Honestly that violates the concept of KISS.

(Just to be clear, I'm not the OP.)

I agree -- if the OP can convince the user change mail readers, that would
be better all around.  However, some users will only let go of their
mail reader when you pry it from their dead, cold fingers, and you'll
be applying KISS in the social context.  Doing a technical workaround
is sometimes simpler than picking a fight with them.  This has to be
balanced with the security requirements.

Noel <noeldude at gmail.com> writes:

> Strongly agree with this.?? If you have enough users that you have
> use both hands to count them, running different protocols on
> different ports is a sure-fire way to annoy your users and create
> problems for support staff (eg. you).?? Either allow the antique
> protocol everywhere, or give notice and cut it off.??

I'm not sure why users would be annoyed -- this is more or less transparent
to them.  If, however, you remove a TLS flavour and thereby break
a previously working mail reader, you'll get the the definition of
"annoyed" demonstrated when you explain to the user why you won't allow
their beloved FoobyBletch5000 mail reader to work.

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list