I know this isn't an Outlook mailing list. But does outlook even do TLS?
I"m running the UW-IMAP server on port 993 and I wanted people to connect
via perdition on port 143 and then redirect to port 993. But with 143, and
SSL checked, it won't work.
nancy
-------------------------------------
Nancy Lin DECF
1109A Etcheverry Hall 510-642-7291
Office Hours: 2PM-4PM Mon-Thu
-------------------------------------
Mark Crispin wrote:
On Wed, 21 Mar 2007, David B Funk wrote:
Here's a little-known fact about Apple Mail: if you select SSL support
for IMAP, it actually will connect with SSL to the IMAP server, if and
only if the port is set to 993. If you specify any other port to
Apple Mail, and check the SSL checkbox, it will connect in the clear,
and attempt to do STARTTLS. If the server doesn't, in its
CAPABILITIES string, indicate STARTTLS, it will simply issue a LOGOUT
and disconnect.
Um, given that is arguably correct behavior what is so notable about
this? Kudos to Apple for getting that part of Apple Mail correct
That is NOT correct behavior!!!
If SSL is checked in the client, then the client should negotiate SSL
and not TLS, without regard to the port number. Perhaps checking the
SSL box may change the default port from 143 to 993. However, if the
SSL box is checked and the port is 10993, it should use SSL, not TLS.
More importantly,
*** TLS is ***NOT*** SSL ***
SSL uses the SSLv23 method at connection initiation. TLS uses the TLSv1
method after negotiation of a start-TLS command. These are different
and incompatible in multiple ways.
Do not confuse the two!
So, you may ask, how do make the client do TLS?
The answer is: you don't!!
The client should negotiate TLS *automatically* with any server that
advertises STARTTLS. The user should NOT be required to check a box to
protect his password from being blasted for every hacker on the planet
to see.
I'd go even further, and say that the client should refuse to connect if
the server does not offer TLS.
Similarly, server certificates should be validated by default for both
SSL and TLS. The user should NOT be required to check a box to say
"tell me when my server is a fraud."
OK, you may need an option to disable certification validation, and to
allow non-TLS. But these should be the things you have to check and NOT
be the defaults.
Thus, Apple Mail's behavior is wrong on two counts. First, it requires
the server to take action to protect his password. Second, it makes it
impossible to access an SSL-IMAP server on other than port 993.
Contrast that with Outlook's borked behavior WRT SMTP & SSL. If you
check the SSL box in the SMTP server config and leave the port set
to 25 it will try to do STARTTLS. If you set the port to -any- other
value (such as 587 for the 'MSA' port) it will try to do SSLv3 and fail.
There's no way to get it to do STARTTLS to port 587, it should only do
SSLv3 to port 465 (smtps port).
The thing wrong with Outlook's behavior is that it doesn't do TLS
automatically. Otherwise, what you describe would be correct; the SSL
checkbox properly governs SSL behavior, not TLS.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
