On 4/22/22 02:20, Jean-Daniel Dupas wrote:
While it's true for SMTP, my experience is that IMAP clients prefer
imaps in 993 instead of STARTTLS.
I have a server with only port 993 opened, and almost never had any
issue with client configuration.
I have noticed the opposite. Every time I have configured a new mail
client (which is most often but not always Thunderbird), it defaults to
143 with STARTTLS. Port 993 is available too, but my mail clients have
never used it unless I explicitly configure it.
My dovecot is configured with "disable_plaintext_auth = yes" so only
source IPs that are local to the machine (so the traffic never goes out
on any network) are allowed to login without TLS. My webmail uses
localhost so it is configured to use port 143 without encryption.
I know a lot of people are going to clamor that such traffic should be
encrypted because it could be sniffed ... but if somebody has enough
access such that they could sniff my backend services, the security
battle is already lost, and they would be able to get any in-flight
passwords even if the connection is encrypted.
Thanks,
Shawn
