Andre Oppermann <[EMAIL PROTECTED]> writes: > You have to differenciate two ways of invoking TLS: > > 1. You do it on the entire connection from the beginning. [...] > This is what happens on port 993 (IMAPSSL). [...] The TLS > functionality can be implemented outsite of the imap daemon. Like > in this case with SSL/TLS tcpserver.
OK, and that's working fine with the TLS-patched tcpserver on 993. > 2. TLS is a optional function on an existing port/protocol and has > to be started while already being in the protocol. By definition > IMAP on port 143 is unencrypted and has to be this way in the > beginning. If you now want to enable TLS for this connection you > have to do so within the IMAP session by requesting a STARTTLS > command. In this case the TLS functionality has to be implemented > inside the imap daemon and client. This way of doing things allows > for unencrypted and encrypted sessions on the same port. OK, understood. I'll disable tcpserver TLS for IMAP/143 and RTFM to find how to do it in the courier-imap daemon itself. > I for myself prefer running ssl/tls stuff the first way. That is > much nicer and doesn't bloat the daemons with tls stuff. tcpserver > is exactly the right place to put ssl/tls. Agreed, it's very clean. I need to find if my customers will be happy with this or whether they want STARTTLS on 143. Since they've already said they want to prevent clear-text IMAP, I think IMAPS on 993 with the TLS-tcpserver should be fine. Thanks for your clear explanation.
