Disable Non-Encrypted Connections - 110 / 143
Question asked by CCWH - February 25, 2015 at 11:16 AM
Unanswered
Hello all,
 
After moving from SSL to TLS we are seeing far more unsecured connections on ports 110 & 143.  Are we missing something in the SM config to disable non-secure connections on those ports?
 
I understand that port 25 cannot be locked down due to server to server connections, however I am sure we are missing something to stop the other ports to only use TLS....otherwise we give clients an open door to not configure their incoming connections to our servers correctly.
 
I am really hoping I/we are missing something and we just need to make a config change to stop this!

3 Replies

Reply to Thread
0
Two things: 1) Under Settings/Bindings/IP Addresses, you can enable/disable the ports available to the IP addresses used by SM. (Those port #s are described in Settings/Bindings/Ports).
 
2) And if your server is inside a firewall, you can also disable inbound access to ports 110 / 143 on the firewall.  This might be useful if users on the LAN have access via 110/143 but you want to restrict access from the Internet - in that case you leave the ports on the SM server as they are (assuming you use the same server IP address for both WAN and LAN access to SM).
 
 
 
 
0
Thanks for the reply.
 
Unfortunately blocking the ports via firewall will not work as it would block the secure TLS traffic.  If we went backwards and went to SSL (993/995) then we could...but that seems..well...backward.  We should be able to use TLS on the native TLS ports which are 110/143 but disallow any non-TLS connections.
 
We do not have the non-TLS port bindings ticked...which we would have expected would stop non-secure connections and only allow the TLS connections via the selected ports that use the certificate...this sadly isn't the case.
0
I've long thought that the "Native" TLS ports are the same as SSL ports (993/995/465).  I did some web searches and believe that my assumptions are correct.  It makes little sense to have them the same as ports for non-encrypted traffic - 143/110/25, for "obvious" reasons.
 
Please check this for yourself and let me know if I'm wrong.
 
 

Reply to Thread