Allow admins to set secure protocol for ports as SSL/TLS (both)
Idea shared by Neal Culiner - 8/9/2019 at 7:51 AM
Proposed
Do we really need to set one or the other as SSL or TLS or cannot the mail server determine the protocol to use automatically? I believe it would be beneficial to allow us to configure a port as NONE, SSL, TLS, SSL/TLS the last of which the system decides on the protocol based on the caller. Isn't this how other secure channels work such as Windows automatically figures out which to use?

1 Reply

Reply to Thread
3
Neal, for SSL (implicit)  the server has no way to decide whether the communication should be secured or not that's why it uses a different port.

TLS is another story. When a client connects to such port, it first connects using non secure tranmission. The server then announce the STARTTLS capability and if the client supports TLS, client and server starts negotiating a TLS handshake and then the channel is secured. That's why it can use the standard port.

Best practices would be to have:
- SMTP port 25 accepting clear and STARTTLS for inter-server communication and only allow user authentication if the session has been secured by STARTLS.
- Submission port 587 should only allow auth with STARTTLS.
- IMAP port 143 only allow login with STARTTLS
- IMAP port 993 imap implicit SSL
- POP3 port 110 only allow login with APOP secure login
- POP3 port 995 pop3 implicit SSL

This setup makes sure no client would ever transmit authentication infos in clear text.





Reply to Thread