Re: [Dovecot] TLS Authentication Confusion
Carlos Mennens wrote, On 11/10/11 2:17 PM: I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client server is to enable port 993 (IMAPs). I told him that TLS is supported on my mail server over the default ports TCP 25 / 143 and that many consider IMAPs to be legacy. I sent him a telnet session of my PC communicating with my server it shows TLS is available. I just wanted to be sure I was correct with the information above or am I completely wrong and I do indeed need TCP port 993? You are correct. To convince your user, point him at http://en.wikipedia.org/wiki/STARTTLS which has links to the relevant RFC's. I know this is the Dovecot mailing list but since Dovecot and Postfix both use and support TLS in their configuration files, I figured I would ask here for your help! carloss@pc1:~$ telnet mail.holyghost.org 25 Trying 192.168.4.100... Connected to mail.holyghost.org. Escape character is '^]'. 220 mail.holyghost.org ESMTP Postfix EHLO pc1.holyghost.org 250-mail.holyghost.org 250-PIPELINING 250-SIZE 2048 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Below is a snip from my mail logs showing TLS: Nov 9 10:26:39 mail dovecot: imap-login: Login: user=carlos, method=PLAIN, rip=:::192.168.4.100, lip=:::192.168.4.100, TLS The above snip from my log means that I'm connecting to Dovecot via TLS, correct? Yes
[Dovecot] TLS Authentication Confusion
I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client server is to enable port 993 (IMAPs). I told him that TLS is supported on my mail server over the default ports TCP 25 / 143 and that many consider IMAPs to be legacy. I sent him a telnet session of my PC communicating with my server it shows TLS is available. I just wanted to be sure I was correct with the information above or am I completely wrong and I do indeed need TCP port 993? I know this is the Dovecot mailing list but since Dovecot and Postfix both use and support TLS in their configuration files, I figured I would ask here for your help! carloss@pc1:~$ telnet mail.holyghost.org 25 Trying 192.168.4.100... Connected to mail.holyghost.org. Escape character is '^]'. 220 mail.holyghost.org ESMTP Postfix EHLO pc1.holyghost.org 250-mail.holyghost.org 250-PIPELINING 250-SIZE 2048 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Below is a snip from my mail logs showing TLS: Nov 9 10:26:39 mail dovecot: imap-login: Login: user=carlos, method=PLAIN, rip=:::192.168.4.100, lip=:::192.168.4.100, TLS The above snip from my log means that I'm connecting to Dovecot via TLS, correct?
Re: [Dovecot] TLS Authentication Confusion
On 11/10/11 19:17, Carlos Mennens wrote: I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client server is to enable port 993 (IMAPs). Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on the same port as plain. The difference between SSH and TLS is that with SSH the encryption is set up before any application communication takes place. i.e all application packets are contained in the encrypted payload. With TLS the application starts communication and then the application sets up encryption of its payload. Dick
Re: [Dovecot] TLS Authentication Confusion
On Thu, 10 Nov 2011 19:28:55 + Dick Middleton wrote: On 11/10/11 19:17, Carlos Mennens wrote: I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client server is to enable port 993 (IMAPs). Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on the same port as plain. The difference between SSH and TLS is that with SSH the encryption is set up before any application communication takes place. i.e all application packets are contained in the encrypted payload. With TLS the application starts communication and then the application sets up encryption of its payload. :%s/SSH/SSL/g --Frank
Re: [Dovecot] TLS Authentication Confusion
On 10-11-11 20:28, Dick Middleton wrote: On 11/10/11 19:17, Carlos Mennens wrote: I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client server is to enable port 993 (IMAPs). Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on the same port as plain. The difference between SSH and TLS is that with SSH the encryption is set up before any application communication takes place. i.e all application packets are contained in the encrypted payload. With TLS the application starts communication and then the application sets up encryption of its payload. You're contributing to the confusion. SSL and TLS are practically the same, just another name for the same beast. The only difference is that SSL is the old name, and newer versions of the standard are labeled TLS. The term SSH is not in the scope of this question. There are 2 ways of using SSL/TLS to encrypt sessions: 1) Setup a dedicated port where a SSL/TLS session can be setup before the actual data is transferred. This is what happens for IMAPS/993 and SMTPS/465. 2) Extend an existing protocol to enable SSL/TLS during an open session. This is called STARTTLS in several protocols, SMTP and IMAP being among them. And this is what happens on SMTP/25, Submission/587 and IMAP/143. Note that although the second option is *named* STARTTLS, you probably could implement any server to *use* SSL 1.0 for the actual encryption (not recommended though). The OP is offering STARTTLS for both services, which is good. -- Regards, Tom
Re: [Dovecot] TLS Authentication Confusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/10/2011 2:11 PM, Tom Hendrikx wrote: On 10-11-11 20:28, Dick Middleton wrote: On 11/10/11 19:17, Carlos Mennens wrote: I asked a user today to make sure his incoming and outgoing email was using TLS. He told me it wasn't possible because my Dovecot / Postfix daemons were only listening on TCP 25 143 according to a port scan he did. He told me the only way I could enable encrypted secure sessions between the client server is to enable port 993 (IMAPs). Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on the same port as plain. The difference between SSH and TLS is that with SSH the encryption is set up before any application communication takes place. i.e all application packets are contained in the encrypted payload. With TLS the application starts communication and then the application sets up encryption of its payload. You're contributing to the confusion. SSL and TLS are practically the same, just another name for the same beast. The only difference is that SSL is the old name, and newer versions of the standard are labeled TLS. The term SSH is not in the scope of this question. There are 2 ways of using SSL/TLS to encrypt sessions: 1) Setup a dedicated port where a SSL/TLS session can be setup before the actual data is transferred. This is what happens for IMAPS/993 and SMTPS/465. 2) Extend an existing protocol to enable SSL/TLS during an open session. This is called STARTTLS in several protocols, SMTP and IMAP being among them. And this is what happens on SMTP/25, Submission/587 and IMAP/143. Note that although the second option is *named* STARTTLS, you probably could implement any server to *use* SSL 1.0 for the actual encryption (not recommended though). The OP is offering STARTTLS for both services, which is good. -- Regards, Tom The confusion is caused by the way some client software differentiate these services in their configuration, often referring to wrappermode smtps/imaps as SSL, and STARTTLS as TLS. -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOvDJcAAoJEHIluGOd3V4F6foH/16+xq91/j4hgXufdnAsxwW1 N2ZXf1fby7TjR4BpaYNdH6PsN5/UqFSZItVYkeDXWgGG/wYCTRC+LHdks/EeQKgR 1ondUL2iorQ7bGy25m3526DGShFmcEh7P+Z6WWwdFeOTLBS57LIgwvFHBg4niYHq 3ZbPOjzI+d7kbz8tT8ATb+Ju+uJlV2rpbZKHQ90qlOR9tRl6bUOEeW32yPf5hjpI gs89o66Ud+mb9kkH9vgrhnutxsWjVxWNWM1ba43S1bh4Jg9YneIdsHdQVQSPrFUz EPy5Tgz3b+LZC6lwe6czFrhYgv/GUiJutS34qRHLSMAQGY+fgOcZBSZQHKP7NC4= =TdNE -END PGP SIGNATURE-
