On 5/14/2013 12:39 PM, /dev/rob0 wrote: > On Sun, May 12, 2013 at 05:40:10AM -0700, Professa Dementia wrote: >> On 5/12/2013 4:17 AM, Steinar Bang wrote: >>> I prefer not to use clear text passwords, even over an encrypted >>> connection. >> Why? Enforce the encrypted link by not allowing unencrypted >> connections. The simplest is iptables to block ports 110 and 143, >> while allowing 993 and 995. > I don't understand this advice. Why would someone who is apparently > interested in heightened transport security restrict himself to the > older generation SSL v.2, which was long ago superceded by TLS v.1?
Forcing the connection to 993/995 does not imply SSLv2. TLSv1.[012] is still negotiated. There is no decrease in security. > http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0 > http://wiki2.dovecot.org/SSL > > Quoting from the latter page: > > "Some admins want to require SSL/TLS, but don't realize that this is > also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes > and ssl=required settings)." It's not unreasonable to disable the plaintext ports to minimize the possibility of a fat-fingered accident. -- Noel Jones
