Re: [Courier-imap] General questions regarding IMAP+TLS

Mon, 22 Oct 2012 16:15:11 -0700 

thorso...@lavabit.com writes:


> Try leaving them out altogether. And it doesn't really matter if any of
> those attributes exist in a cert, one.

Thank you, it worked.

With these options in "/etc/courier/imapd-ssl":

IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES

"sudo /etc/init.d/courier-imapd-ssl start" doesn't show
anything. Also, "netstat -l -n" doesn't output :::993.

If I change IMAPDSSLSTART to YES, I'll see :::993.

I thought that IMAPDSTARTTLS should enable TLS and IMAPDSSLSTART
should enable SSL. Looks like I misunderstood something. Is there a
TLS-only solution?


The terminology here is often confusing.
There are two different kinds of encrypted connections. The only difference is how they get started.
IMAPDSSLSTART controls whether or not the SSL server gets started on port 993. This is a completely encrypted connection. An encrypted connection from start to finish.
IMAPDSTARTTLS controls whether or not the server advertises STARTTLS capability. An IMAP client makes a regular, non-encrypted connection to the server on port 143, sees the the server supports STARTTLS, then switches to an encrypted connection to port 143, before logging in.
The two are unrelated. You can use both, or neither. Most IMAP clients will also let you choose, these days, whether to try to connect to port 993, or to port 143 and check if the server supports STARTTLS. 


(The following may look like a Gnus-related question, but it's
connected with courier.)

I'm going to access the server via Gnus. My .gnus.el:

(setq mail-sources '((imap :server "mail.example.com"
                                                   :port 993
                                                   :user "admin"
                                                   :stream tls
                                                   :dontexpunge nil)))

Docs say that I'll be prompted for a password. Which one should I use?
"mkimapdcert" didn't ask me to set a password.
The same password you would use to log in as "admin". Using an encrypted connection does not relieve you of your obligation to log in with a valid login id and a password, identifying your mailbox.
It /is/ possible to use an SSL certificate to log in, without a password. But that's much more complicated to set up, and requires more work.

Attachment: pgpzjF14RTSFX.pgp
Description: PGP signature

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap

Reply via email to