Re: [MlMt] 143 or 993 . . . and security

Thu, 23 Jan 2020 06:19:18 -0800 

On 23 Jan 2020, at 5:18, Benny Kjær Nielsen wrote:


On 23 Jan 2020, at 10:35, Marc ARC wrote:
At first we thought we’ll use port 993 since this is secure. But then we realised that port 143 can also be secure with StartTLS. Or is 993 better since it secures before communicating and is it future proof ?
Port 993 mainly exists for historical reasons. Personally, I would keep both ports open and make sure that the use of STARTTLS is required for port 143. If you close one of these ports then it'll likely affect users at some point when configuring an email client which either defaults to 143 or 993 (or it might even not support both).
And with SMTP we are confronted with a choice 25 or 465 or 587 ? We prefer 587 since it requires AUTH . . . but what about the security
Port 587 is the standard for email submission (email client sending an email) and is equivalent to 143 for IMAP (it uses STARTTLS). Port 465 is a mess (Microsoft), but some email clients might still expect it to work (Microsoft). Port 465 is kind of equivalent to port 993, but in practice I've seen servers using port 465 with STARTTLS making it behave like port 587.
You'll also need port 25 because this is the standard port used when SMTP servers talk to eachother. 

In a perfect world, only ports 25, 143 and 587 would exist.
Actually, current guidance is to go for the implicit TLS ports (465 and 993). See https://www.rfc-editor.org/rfc/rfc8314.html#section-3.
We have been googling but can’t seem to find the mail between the ports 

Thanks in advance for your thoughts and reflections,
You'll probably get other opinions, but the important part is to ensure that it's not possible to communicate on any port without encryption enabled (with or without STARTTLS).
Security-wise, it is more important that you look into which TLS protocols you allow on the server, but I'm not qualified to make any recommendations on that: https://en.wikipedia.org/wiki/Transport_Layer_Security
Good info there. In addition to RFC 8314 above, you can also have a read of https://www.fastmail.com/help/technical/ssltlsstarttls.html. A good summary. 

pr
--
Pete Resnick https://www.episteme.net/
All connections to the world are tenuous at best
_______________________________________________
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Reply via email to