On Wed, 21 Mar 2007, David B Funk wrote:
Here's a little-known fact about Apple Mail: if you select SSL support
for IMAP, it actually will connect with SSL to the IMAP server, if and
only if the port is set to 993. If you specify any other port to
Apple Mail, and check the SSL checkbox, it will connect in the clear,
and attempt to do STARTTLS. If the server doesn't, in its
CAPABILITIES string, indicate STARTTLS, it will simply issue a LOGOUT
and disconnect.
Um, given that is arguably correct behavior what is so notable about
this? Kudos to Apple for getting that part of Apple Mail correct
That is NOT correct behavior!!!
If SSL is checked in the client, then the client should negotiate SSL and
not TLS, without regard to the port number. Perhaps checking the SSL box
may change the default port from 143 to 993. However, if the SSL box is
checked and the port is 10993, it should use SSL, not TLS.
More importantly,
*** TLS is ***NOT*** SSL ***
SSL uses the SSLv23 method at connection initiation. TLS uses the TLSv1
method after negotiation of a start-TLS command. These are different and
incompatible in multiple ways.
Do not confuse the two!
So, you may ask, how do make the client do TLS?
The answer is: you don't!!
The client should negotiate TLS *automatically* with any server that
advertises STARTTLS. The user should NOT be required to check a box to
protect his password from being blasted for every hacker on the planet to
see.
I'd go even further, and say that the client should refuse to connect if
the server does not offer TLS.
Similarly, server certificates should be validated by default for both SSL
and TLS. The user should NOT be required to check a box to say "tell me
when my server is a fraud."
OK, you may need an option to disable certification validation, and to
allow non-TLS. But these should be the things you have to check and NOT
be the defaults.
Thus, Apple Mail's behavior is wrong on two counts. First, it requires
the server to take action to protect his password. Second, it makes it
impossible to access an SSL-IMAP server on other than port 993.
Contrast that with Outlook's borked behavior WRT SMTP & SSL. If you
check the SSL box in the SMTP server config and leave the port set
to 25 it will try to do STARTTLS. If you set the port to -any- other
value (such as 587 for the 'MSA' port) it will try to do SSLv3 and fail.
There's no way to get it to do STARTTLS to port 587, it should only do
SSLv3 to port 465 (smtps port).
The thing wrong with Outlook's behavior is that it doesn't do TLS
automatically. Otherwise, what you describe would be correct; the SSL
checkbox properly governs SSL behavior, not TLS.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
