Results 1 to 15 of 15
  1. #1
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63

    Exclamation Has anyone got STARTTLS to work for IMAP?

    I thought I had an issue with Outlook 2010 being old, so as a test I got the latest version of Thunderbird which clearly supports STARTTLS.

    I changed my server back to TLSv1 temporarily for both TLS and STARTTLS connections and was not able to connect using STARTTLS on port 143.
    If I changed it back to the standard TLS on port 993 it works fine.

    So trying to figure out if there is a STARTTLS issue on my server, my computer (Windows 10), or something with STARTTLS in general on interworx CentOS 7 servers???

    I mean I assume most people, including me, still just use the old way of having explicit ports for secure channels, but this should work as it's enabled on the server by default.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  2. #2
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63
    Well I just found this old post here from 2011 before STARTTLS was enabled:
    http://forums.interworx.com/threads/...light=starttls

    Quote Originally Posted by nars View Post
    I did noticed that starttls is not available on iworx courier imapd:

    telnet localhost 143

    Code:
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc.  See COPYING for distribution information.
    I do have a similar courier version on another machine (w/o iworx) and it does support it:

    Code:
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc.  See COPYING for distribution information.
    I did compared configuration files and they are very very similar, I guess the problem may be related to the way iworx uses courier with tcpserver, any ideas to sort it?

    When I checked mine with telnet I seem to not be supporting it, which explains why it isn't working.
    Code:
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc.  See COPYING for distribution information.
    The conf file does have it though. So maybe this is a bug?

    Code:
    ##NAME: IMAPDSTARTTLS:0
    #
    #  Whether or not to implement IMAP STARTTLS extension instead:
    
    IMAPDSTARTTLS=YES
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  3. #3
    Join Date
    Apr 2012
    Posts
    1,963
    Points
    17,439
    Level
    57
    Hi Justin

    The test I did this morning was using TLS on 143 I think from memory

    Also, it maybe tired eyes here, but I cannot see any difference in your telnet output sorry

    I'll rerun my tls test to be sure

    Many thanks

    John

  4. #4
    Join Date
    Apr 2012
    Posts
    1,963
    Points
    17,439
    Level
    57
    Hi Justin

    Sorry, the test port was 993

    I thought I would check, and a quick google shows imaps should only work on port 993 for SSL or TLS, with imap only using 143

    So starttls on port 143 would not work by design. Starttls does work on pop and smtp as it should

    I hope that helps, and guess I should have checked that this morning sorry

    Many thanks

    John

  5. #5
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63
    My telnet does not give me the STARTTLS as an option as it should.

    What does yours show if you telnet host.com 143??
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  6. #6
    Join Date
    Apr 2012
    Posts
    1,963
    Points
    17,439
    Level
    57
    Hi Justin
    Sorry, my 1 brain cell is not working, so please disregard my comment over starttls on imap, it is possible.
    My telnet gives below, and running starttls gives no errors on imap
    Many thanks
    John
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THRE
    AD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Pr
    ecision, Inc. See COPYING for distribution information.

  7. #7
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63
    Hey John, I had no idea about STARTTLS stuff until this week. I've always gone with the secure and unsecure ports. But they are trying to bring one service / one port. So both secure and unsecure on one port.

    So SSL/TLS (basically the same thing, TLS is just newer SSL) works on port 993.
    STARTTLS runs on port 143, and basically allows port 143 IMAP to be secure.


    When I telnet to port 143 I expect to get this:

    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE STARTTLS] Courier-IMAP ready.

    But I get this:

    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  8. #8
    Join Date
    Apr 2012
    Posts
    1,963
    Points
    17,439
    Level
    57
    Hi Justin

    Yes, I know what your saying

    Starttls upgrades to connection to secure, which I believe should go from 143 to 993, just as smtp goes from 25 to 587 (that's why you cannot create a secure 587 directly)

    Your correct with SSL and TLS, but in simple terms, the connection is not bothered if it's SSL or TLS, it just knows to use secure, then negotiate a cipher i.e. TLS is replacement for SSL

    It should work on imap so I'll email Iw this thread, and kudos to you

    Many thanks and have a lovely night

    John

  9. #9
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63
    Quote Originally Posted by d2d4j View Post
    Starttls upgrades to connection to secure, which I believe should go from 143 to 993
    This is incorrect. The idea of STARTTLS is to eliminate the need to have 2 ports for 1 service. So that both secure and not secure can run on port 25, port 110, and port 143. Then you have the option to require secure (TLS) or not. So you can continue to support both nonsecure and secure connection on IMAP 143 or just make it secure only on 143.


    Quote Originally Posted by d2d4j View Post
    just as smtp goes from 25 to 587 (that's why you cannot create a secure 587 directly)
    SMTP you can go secure on port 25 or 587, both use STARTTLS.

    Originally, before STARTTLS, I believe the secure port for SMTP was 465. After STARTTLS they got rid of that port completely.
    Port 587 was created as a SMTP submission port, basically for user sending emails from a program like outlook to connect to the server.
    Now port 25 is supposed to be used just for server to server communication.

    Have a good night as well!
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  10. The Following User Says Thank You to Justec For This Useful Post:


  11. #10
    Join Date
    Apr 2012
    Posts
    1,963
    Points
    17,439
    Level
    57
    Hi Justin

    Your 100% correct on starttls

    I can be slow sorry, but for some reason, I always believed the port was changed - absolutely no idea why I came to that conclusion sorry

    I do not think port 25 would ever be solely used for server to server only, I think it has been a lifetime of all user usage, and will continue to be

    I emailed Iw the thread

    Many thanks

    John

  12. #11
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63
    Quote Originally Posted by d2d4j View Post
    I do not think port 25 would ever be solely used for server to server only, I think it has been a lifetime of all user usage, and will continue to be
    Right, this is just "the plan." Similar to the plan to get rid of port 993 and 995 for secure POP and IMAP. But most server still support that because older client email programs can't use STARTTLS.

    I have a information ticket open with iworx as well on the STARTTLS issue. I'm still not sure if it's just something I did on my server or a real issue. I guess a lot of people still use 993 and 995 so it could be a real issue.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  13. #12
    Join Date
    Apr 2012
    Posts
    1,963
    Points
    17,439
    Level
    57
    Hi Justin

    Many thanks, but I do think as these ports are already assigned for usage, it will take many many years, even when old client software has been updated or no longer used. E.g. iPhone 5, 6 and 7 (iOS10), still allow 993, and defaults to 993

    It's just my thoughts though, and I'm usually wrong sorry

    I had a quick login look at imapd/imapd-ssl, including dist and cf, and it does look like starttls has not been set in imapd, though starttls was set 1 on imapd, with starttls option left out on imapd. So that would indicate to me from the quick look, that it is intentional for imap to use imapd 143 and imapd-ssl 993

    I could be wrong though, so apologies in advance and appreciate an update once Iw have resolved it

    Many thanks

    John

  14. #13
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63
    Yes, moving away from 993 / 995 is more of a client issue. Until all the old clients that only use regular TLS on 993/995 are phased out, servers will have to continue to support these ports.
    I would just like to offer the new way of doing it to clients that can use it.

    Quote Originally Posted by d2d4j View Post
    I had a quick login look at imapd/imapd-ssl, including dist and cf, and it does look like starttls has not been set in imapd, though starttls was set 1 on imapd, with starttls option left out on imapd. So that would indicate to me from the quick look, that it is intentional for imap to use imapd 143 and imapd-ssl 993
    I heard back from interworx and they said only support STARTTLS for SMTP. So basically right now the interworx server doesn't support this new way of making secure IMAP and POP3 connections.

    What's strange to me is that in the imapd-ssl.conf, there is a reference to the STARTTLS. But if imapd-ssl.conf is only for the imap4-ssl service, then having STARTTLS in there doesn't make sense. If you connect to port 993, that is already a secure port by default. So you would never issue a STARTTLS command. It's redundant.

    I've asked this question about "what's the point of STARTTLS on port 993" and waiting to hear back.

    But as of now, it just seems it's not an option for interworx.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  15. #14
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    20,893
    Level
    63
    I have my test VM server setup now. I'm currently testing the MariaDB upgrade against some of my larger sites before I apply to my main server.

    After I complete that I am going to try upgrading Courier-IMAP server to see if that enables STARTTLS. I'll report back here after I get to that.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  16. #15
    Join Date
    Apr 2012
    Posts
    1,963
    Points
    17,439
    Level
    57
    Hi Justin

    Good luck, hope it goes well

    Many thanks

    John

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •