Re: different TLS protocols on different ports
Michael A. Peters wrote: > Couldn't you run two different instances (with 2 separate run-time > directories), each listening on a different port with their own SSL > configuration??? Or would it clash somewhere? > > If only a single running instance of dovecot is required, I guess you > can run dovecot on the localhost interface, and use 2 stunnel proxies. Honestly that violates the concept of KISS. (Just to be clear, I'm not the OP.) I agree -- if the OP can convince the user change mail readers, that would be better all around. However, some users will only let go of their mail reader when you pry it from their dead, cold fingers, and you'll be applying KISS in the social context. Doing a technical workaround is sometimes simpler than picking a fight with them. This has to be balanced with the security requirements. Noel writes: Strongly agree with this.?? If you have enough users that you have use both hands to count them, running different protocols on different ports is a sure-fire way to annoy your users and create problems for support staff (eg. you).?? Either allow the antique protocol everywhere, or give notice and cut it off.?? I'm not sure why users would be annoyed -- this is more or less transparent to them. If, however, you remove a TLS flavour and thereby break a previously working mail reader, you'll get the the definition of "annoyed" demonstrated when you explain to the user why you won't allow their beloved FoobyBletch5000 mail reader to work. Joseph Tam
Re: different TLS protocols on different ports
On 11/14/2018 4:08 PM, Michael A. Peters wrote: > Honestly that violates the concept of KISS. > > Given that TLS 1.2 is now a decade old, do you really need to > still allow clients not capable of TLS 1.0/1.1 ??? > > I still do but only allow cipher suites with Forward Secrecy. > > I don't run huge mail server, but from quick look at my logs I > don't even see any clients connecting that aren't TLS 1.2 anymore. > > Might be easier to just give a six month notice that clients > running TLS more than a decade old will no longer be supported. +1 Strongly agree with this. If you have enough users that you have use both hands to count them, running different protocols on different ports is a sure-fire way to annoy your users and create problems for support staff (eg. you). Either allow the antique protocol everywhere, or give notice and cut it off. -- Noel Jones
Re: different TLS protocols on different ports
On 11/14/2018 01:46 PM, Joseph Tam wrote:
On Wed, 14 Nov 2018, Aki Tuomi wrote:
I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So
I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to
enable TLS1.2 and TLS1.3 only.
Is this possible with dovecot-2.2.36 / how to setup this?
Not possible I'm afraid.
("Not possible" = challenge!)
Couldn't you run two different instances (with 2 separate run-time
directories), each listening on a different port with their own SSL
configuration? Or would it clash somewhere?
If only a single running instance of dovecot is required, I guess you
can run dovecot on the localhost interface, and use 2 stunnel proxies.
Joseph Tam
Honestly that violates the concept of KISS.
Given that TLS 1.2 is now a decade old, do you really need to still
allow clients not capable of TLS 1.0/1.1 ???
I still do but only allow cipher suites with Forward Secrecy.
I don't run huge mail server, but from quick look at my logs I don't
even see any clients connecting that aren't TLS 1.2 anymore.
Might be easier to just give a six month notice that clients running TLS
more than a decade old will no longer be supported.
Re: different TLS protocols on different ports
Am 14.11.18 um 22:46 schrieb Joseph Tam: > Couldn't you run two different instances that is the idea: Yes, I can run multiple instances... Thanks!
Re: different TLS protocols on different ports
On Wed, 14 Nov 2018, Aki Tuomi wrote:
I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So
I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to
enable TLS1.2 and TLS1.3 only.
Is this possible with dovecot-2.2.36 / how to setup this?
Not possible I'm afraid.
("Not possible" = challenge!)
Couldn't you run two different instances (with 2 separate run-time
directories), each listening on a different port with their own SSL
configuration? Or would it clash somewhere?
If only a single running instance of dovecot is required, I guess you
can run dovecot on the localhost interface, and use 2 stunnel proxies.
Joseph Tam
Re: different TLS protocols on different ports
Am 14.11.18 um 21:21 schrieb Michael Slusarz: > These ports are well-known and well used. OK, to be clear: they're not in /my/ networks :-)
Re: different TLS protocols on different ports
> On November 14, 2018 at 12:46 PM "A. Schulze" wrote:
<
> I stumbled upon RFC 8314 *) and I found it a welcome option to enforce more
> modern protocols/ciphers.
> IMAPS/SUBMISSIONS aren't used widely (at least to my knowlege, many
> postmaster used to configure IMAP+SUBMISSION and STARTTLS)
"IMAPS" has been used forever. Every installation I can think of supports 993.
Same with submission. 465/587 has been a standard port for awhile now.
In fact, these are the only ports someone like a Google will allow you to
connect to.
https://support.google.com/mail/answer/7126229?hl=en
> Switching Clients to complete new ports is a chance to separate and dry out
> legacy MUA's
There is no switch to do. These ports are well-known and well used.
> I just tried this but that's no valid syntax tough:
>
> service imap-login {
> inet_listener imap {
> port = 143
> # using default protocols and ciphers...
> }
> inet_listener imaps {
> port = 993
> ssl_protocols = TLSv1.2 TLSv1.3
> ssl_cipher_list = ...
>
> }
> }
>
>
> Postfix let me easily define different TLS protocols on different ports.
> For that it would be cool if dovecot could assist on such migrations, too.
>
> Andreas
>
> *) see https://tools.ietf.org/html/rfc8314
>as well as the draft
> https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate
> TLSv1.1
Re: different TLS protocols on different ports
Am 14.11.18 um 20:22 schrieb Aki Tuomi:
> Not possible I'm afraid.
Hello Aki,
is it not possible in 2.2.36 or not possible at all?
I stumbled upon RFC 8314 *) and I found it a welcome option to enforce more
modern protocols/ciphers.
IMAPS/SUBMISSIONS aren't used widely (at least to my knowlege, many postmaster
used to configure IMAP+SUBMISSION and STARTTLS)
Switching Clients to complete new ports is a chance to separate and dry out
legacy MUA's
I just tried this but that's no valid syntax tough:
service imap-login {
inet_listener imap {
port = 143
# using default protocols and ciphers...
}
inet_listener imaps {
port = 993
ssl_protocols = TLSv1.2 TLSv1.3
ssl_cipher_list = ...
}
}
Postfix let me easily define different TLS protocols on different ports.
For that it would be cool if dovecot could assist on such migrations, too.
Andreas
*) see https://tools.ietf.org/html/rfc8314
as well as the draft
https://tools.ietf.org/html/draft-lvelvindron-tls-for-email-02 to deprecate
TLSv1.1
Re: different TLS protocols on different ports
On 14 November 2018 at 21:19 "A. Schulze" < s...@andreasschulze.de> wrote: Hello, I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only. Is this possible with dovecot-2.2.36 / how to setup this? Thanks for suggestions, Andreas Not possible I'm afraid. --- Aki Tuomi
different TLS protocols on different ports
Hello, I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only. Is this possible with dovecot-2.2.36 / how to setup this? Thanks for suggestions, Andreas
