I thought I had an issue with Outlook 2010 being old, so as a test I got the latest version of Thunderbird which clearly supports STARTTLS.
I changed my server back to TLSv1 temporarily for both TLS and STARTTLS connections and was not able to connect using STARTTLS on port 143.
If I changed it back to the standard TLS on port 993 it works fine.
So trying to figure out if there is a STARTTLS issue on my server, my computer (Windows 10), or something with STARTTLS in general on interworx CentOS 7 servers???
I mean I assume most people, including me, still just use the old way of having explicit ports for secure channels, but this should work as it’s enabled on the server by default.
[QUOTE=nars;18782]I did noticed that starttls is not available on iworx courier imapd:
telnet localhost 143
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.
I do have a similar courier version on another machine (w/o iworx) and it does support it:
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information.
I did compared configuration files and they are very very similar, I guess the problem may be related to the way iworx uses courier with tcpserver, any ideas to sort it?[/QUOTE]
When I checked mine with telnet I seem to not be supporting it, which explains why it isn’t working.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.
The conf file does have it though. So maybe this is a bug?
##NAME: IMAPDSTARTTLS:0
#
# Whether or not to implement IMAP STARTTLS extension instead:
IMAPDSTARTTLS=YES
Hi Justin
Sorry, my 1 brain cell is not working, so please disregard my comment over starttls on imap, it is possible.
My telnet gives below, and running starttls gives no errors on imap
Many thanks
John
OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THRE
AD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Pr
ecision, Inc. See COPYING for distribution information.
Hey John, I had no idea about STARTTLS stuff until this week. I’ve always gone with the secure and unsecure ports. But they are trying to bring one service / one port. So both secure and unsecure on one port.
So SSL/TLS (basically the same thing, TLS is just newer SSL) works on port 993.
STARTTLS runs on port 143, and basically allows port 143 IMAP to be secure.
When I telnet to port 143 I expect to get this:
OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE STARTTLS] Courier-IMAP ready.
But I get this:
OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready.
Starttls upgrades to connection to secure, which I believe should go from 143 to 993, just as smtp goes from 25 to 587 (that’s why you cannot create a secure 587 directly)
Your correct with SSL and TLS, but in simple terms, the connection is not bothered if it’s SSL or TLS, it just knows to use secure, then negotiate a cipher i.e. TLS is replacement for SSL
It should work on imap so I’ll email Iw this thread, and kudos to you
This is incorrect. The idea of STARTTLS is to eliminate the need to have 2 ports for 1 service. So that both secure and not secure can run on port 25, port 110, and port 143. Then you have the option to require secure (TLS) or not. So you can continue to support both nonsecure and secure connection on IMAP 143 or just make it secure only on 143.
SMTP you can go secure on port 25 or 587, both use STARTTLS.
Originally, before STARTTLS, I believe the secure port for SMTP was 465. After STARTTLS they got rid of that port completely.
Port 587 was created as a SMTP submission port, basically for user sending emails from a program like outlook to connect to the server.
Now port 25 is supposed to be used just for server to server communication.
Right, this is just “the plan.” Similar to the plan to get rid of port 993 and 995 for secure POP and IMAP. But most server still support that because older client email programs can’t use STARTTLS.
I have a information ticket open with iworx as well on the STARTTLS issue. I’m still not sure if it’s just something I did on my server or a real issue. I guess a lot of people still use 993 and 995 so it could be a real issue.
Many thanks, but I do think as these ports are already assigned for usage, it will take many many years, even when old client software has been updated or no longer used. E.g. iPhone 5, 6 and 7 (iOS10), still allow 993, and defaults to 993
It’s just my thoughts though, and I’m usually wrong sorry
I had a quick login look at imapd/imapd-ssl, including dist and cf, and it does look like starttls has not been set in imapd, though starttls was set 1 on imapd, with starttls option left out on imapd. So that would indicate to me from the quick look, that it is intentional for imap to use imapd 143 and imapd-ssl 993
I could be wrong though, so apologies in advance and appreciate an update once Iw have resolved it
Yes, moving away from 993 / 995 is more of a client issue. Until all the old clients that only use regular TLS on 993/995 are phased out, servers will have to continue to support these ports.
I would just like to offer the new way of doing it to clients that can use it.
[QUOTE=d2d4j;29415]
I had a quick login look at imapd/imapd-ssl, including dist and cf, and it does look like starttls has not been set in imapd, though starttls was set 1 on imapd, with starttls option left out on imapd. So that would indicate to me from the quick look, that it is intentional for imap to use imapd 143 and imapd-ssl 993[/QUOTE]
I heard back from interworx and they said only support STARTTLS for SMTP. So basically right now the interworx server doesn’t support this new way of making secure IMAP and POP3 connections.
What’s strange to me is that in the imapd-ssl.conf, there is a reference to the STARTTLS. But if imapd-ssl.conf is only for the imap4-ssl service, then having STARTTLS in there doesn’t make sense. If you connect to port 993, that is already a secure port by default. So you would never issue a STARTTLS command. It’s redundant.
I’ve asked this question about “what’s the point of STARTTLS on port 993” and waiting to hear back.
But as of now, it just seems it’s not an option for interworx.