Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Email/SMTP Related Forum
  Print view Previous topic | Next topic 
Author Message
haus
PostPosted: Sat Nov 15, 2014 12:55 am 
Offline
Senior Member

Joined: Wed Mar 03, 2010 2:04 pm
Posts: 111
I looked up some instructions on disabling ssl3 in courier and found these settings:

IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

But I found that broke squirrelmail (on localhost). So I decided to allow non-encrypted logins only from localhost on port 143 (using https) and TLS1.0 connections on port 993 on the public IP address. The problem was, as long as I had "IMAP_TLS_REQUIRED=1" in my imapd-ssl config, courier required any connections on port 143 to begin with STARTTLS. In the imapd-ssl config file, the instructions say IMAP_TLS_REQUIRED is to force STARTTLS on everyone, not just "TLS". So I wondered if I could leave IMAP_TLS_REQUIRED=NO and rely on the fact that I've disabled SSL3 as a TLS_PROTOCOL. I tried it, and sure enough, when I did:

openssl s_client -connect <myhost>:993 -ssl3

the connection failed because as my server puts it, "Secure renegotiation IS NOT supported". So I think this is working despite the fact that in Outlook 2010, I have to connect using what it calls "SSL" on port 993. I'm guessing that this is the confusion I've been reading about (how mail clients refer to SSL/TLS/STARTTLS in different ways). What outlook calls TLS (and defaults to port 143) is actually STARTTLS, and what outlook calls SSL (port 993) can actually be TLS1.0. At least I'm assuming that's the case since my courier imap server listening on port 993 won't accept an SSL3 connection and I'm still able to get mail from outlook. And I think that whomever created the config changes above saw "IMAP_TLS_REQUIRED" and may have assumed it should be "1" because TLS is now required over SSL when in fact this line only refers to STARTTLS, and not the difference between SSL3 and TLS1.0?

I'm just wondering if this makes sense to anyone still using courier. I did notice that in the dovecot instructions on the same site I looked at, the only configuration change that was made was to disable SSL3, so I think line to force STARTTLS may not be a requirement to secure courier from poodle attacks, but I'm not sure.

Sorry this may be a bit of ramble, it's late and I've been trying to wrap my head around this for awhile.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Email/SMTP Related Forum


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group