Disable Non-Encrypted Connections - 110 / 143
Question asked by CCWH - February 25, 2015 at 11:16 AM
Hello all,
After moving from SSL to TLS we are seeing far more unsecured connections on ports 110 & 143.  Are we missing something in the SM config to disable non-secure connections on those ports?
I understand that port 25 cannot be locked down due to server to server connections, however I am sure we are missing something to stop the other ports to only use TLS....otherwise we give clients an open door to not configure their incoming connections to our servers correctly.
I am really hoping I/we are missing something and we just need to make a config change to stop this!

3 Replies

Reply to Thread
Two things: 1) Under Settings/Bindings/IP Addresses, you can enable/disable the ports available to the IP addresses used by SM. (Those port #s are described in Settings/Bindings/Ports).
2) And if your server is inside a firewall, you can also disable inbound access to ports 110 / 143 on the firewall.  This might be useful if users on the LAN have access via 110/143 but you want to restrict access from the Internet - in that case you leave the ports on the SM server as they are (assuming you use the same server IP address for both WAN and LAN access to SM).
Thanks for the reply.
Unfortunately blocking the ports via firewall will not work as it would block the secure TLS traffic.  If we went backwards and went to SSL (993/995) then we could...but that seems..well...backward.  We should be able to use TLS on the native TLS ports which are 110/143 but disallow any non-TLS connections.
We do not have the non-TLS port bindings ticked...which we would have expected would stop non-secure connections and only allow the TLS connections via the selected ports that use the certificate...this sadly isn't the case.
I've long thought that the "Native" TLS ports are the same as SSL ports (993/995/465).  I did some web searches and believe that my assumptions are correct.  It makes little sense to have them the same as ports for non-encrypted traffic - 143/110/25, for "obvious" reasons.
Please check this for yourself and let me know if I'm wrong.

Reply to Thread