Carlos Williams a écrit :
On Fri, Jun 26, 2009 at 5:46 PM, Michael Orlitzky<mich...@orlitzky.com> wrote:
A typical "TLS" session will work as follows:
1 The client connects to the IMAP service on port 143, unencrypted.
2 The server announces that it speaks TLS.
3 The client says "Ok, let's talk encrypted."
4 Magic occurs, and the session becomes encrypted. This step is where
your "SSL" certificate is used.
5 The rest of the session is encrypted.
Thats a great and informative breakdown. I guess I just don't see a
benefit of using either over another.
It would appear that using SSL where the session is assumed before
established to be encrypted rather
than switching to encrypted just saves time. They both appear to do
the same thing. Obviously from what
I read, TLS is newer than SSL but sometimes thats not always a good
thing. I just don't know in this case.
Do you recommend I do one over the other? I don't really have a
requirement here at all yet so that being
said, I would rather someone who has better understand of this tell me
what they would do for a simple
Postfix / Dovecot install on a Linux server.
Any recommendations?
ok I will explain how I see things about TLS and SSL and how I
configured our mail server and our network in the university.
(because of the diffiiculty of the langage these is translate by google
with some adjustement)
My view is a simplistic and paranoid: there is a local network where are
the colleagues and the gentiles, and there are outdoor, internet,
populated by villains, thieves, spies who do everything for you not
steal only passwords but also your correspondence.
When colleagues leave the local network to go outside with their
laptops. if they want to check their mail, we must tell them : configure
your mail client (thunderbird) to use TLS.
In reality, these colleagues do not configure their client to use TLS,
despite our advice, because on port imap (143) they can read mail in
plain text without TLS. why do they bother to go to a panel that they
did not understand, to check boxes mysterious while it works very well
like that.
As against them if you delete the imap port (143) even with TLS and
leave only the SSL port (993). Members are required to configure the
client to use SSL. and you can safely send out the encrypted connection
is required.
This is the protocol: the server announces its capability but can not
force the use of TLS which is an initiative of the client.
So for our server configuration, I enabled port 143 (with TLS) and 993,
port 143 is only accessible from the local network, and is filtered by a
firewall for internet connections (iptable or ACL iptable cisco do this
very well). In reality, it is obviously more complicated because we
have vlan and vpn.
jean-noël
