Disable Non-Encrypted Connections - 110 / 143

Question asked by CCWH - 2/25/2015 at 11:16 AM

Unanswered

Hello all,

After moving from SSL to TLS we are seeing far more unsecured connections on ports 110 & 143. Are we missing something in the SM config to disable non-secure connections on those ports?

I understand that port 25 cannot be locked down due to server to server connections, however I am sure we are missing something to stop the other ports to only use TLS....otherwise we give clients an open door to not configure their incoming connections to our servers correctly.

I am really hoping I/we are missing something and we just need to make a config change to stop this!

9 Replies

Reply to Thread

Paul Blank Replied

2/25/2015 at 12:33 PM

Two things: 1) Under Settings/Bindings/IP Addresses, you can enable/disable the ports available to the IP addresses used by SM. (Those port #s are described in Settings/Bindings/Ports).

2) And if your server is inside a firewall, you can also disable inbound access to ports 110 / 143 on the firewall. This might be useful if users on the LAN have access via 110/143 but you want to restrict access from the Internet - in that case you leave the ports on the SM server as they are (assuming you use the same server IP address for both WAN and LAN access to SM).

CCWH Replied

2/25/2015 at 1:19 PM

Thanks for the reply.

Unfortunately blocking the ports via firewall will not work as it would block the secure TLS traffic. If we went backwards and went to SSL (993/995) then we could...but that seems..well...backward. We should be able to use TLS on the native TLS ports which are 110/143 but disallow any non-TLS connections.

We do not have the non-TLS port bindings ticked...which we would have expected would stop non-secure connections and only allow the TLS connections via the selected ports that use the certificate...this sadly isn't the case.

Joe Wolf Replied

2/25/2015 at 7:35 PM

Go into Settings, Bindings, Ports, and delete the default POP and IMAP ports. Leave the TLS binding for the same port numbers. This should force TLS.

Thanks, -Joe

Paul Blank Replied

2/25/2015 at 9:24 PM

I've long thought that the "Native" TLS ports are the same as SSL ports (993/995/465). I did some web searches and believe that my assumptions are correct. It makes little sense to have them the same as ports for non-encrypted traffic - 143/110/25, for "obvious" reasons.

Please check this for yourself and let me know if I'm wrong.

Joe Wolf Replied

2/25/2015 at 9:54 PM

It's already been answered above.

Thanks, -Joe

Paul Blank Replied

2/26/2015 at 7:41 AM

And I have been wrong before. I'm sure I'll be wrong again soon. :>

Joe Wolf Replied

2/26/2015 at 8:08 AM

Paul, no the SSL ports are different and useless at this point. If your server is properly configured 993/995/456 are pretty much useless. The TLS ports are on the same as the non-encrypted ports 25/587/110/143. So for each of those ports you have two bindings for each port (a standard port and TLS port). So if you removed the standard ports that would mean anything coming across those ports would have to be TLS. I would not do this for port 25 since you wouldn't be able to communicate with servers that don't support TLS. But if you have a very small user base that you can control tightly and want all To/From communication via TLS you can do it.

Thanks, -Joe

csoft Replied

3/11/2015 at 2:43 PM

I've tried this but POP3 on 110 still allow unencrypted login. Port 110 is mapped to TLS, old port 110 deleted. Any solutions??

csoft Replied

3/11/2015 at 2:52 PM

I think the solution may to stop listening on 110 and force users to use another port for POP (like 995).

Back to Community Threads

Please leave this box unchecked

9 Replies

Reply to Thread

Tags

Related Knowledge Base Articles