[MlMt] 143 or 993 . . . and security

Pete Resnick resnick at episteme.net
Thu Jan 23 09:18:42 EST 2020

Previous message (by thread): [MlMt] 143 or 993 . . . and security
Next message (by thread): [MlMt] 143 or 993 . . . and security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 23 Jan 2020, at 5:18, Benny Kjær Nielsen wrote:

> On 23 Jan 2020, at 10:35, Marc ARC wrote:
>
>> At first we thought we’ll use port 993 since this is secure. But 
>> then we realised that port 143 can also be secure with StartTLS.
>> Or is 993 better since it secures before communicating and is it 
>> future proof ?
>
> Port 993 mainly exists for historical reasons. Personally, I would 
> keep both ports open and make sure that the use of STARTTLS is 
> required for port 143. If you close one of these ports then it'll 
> likely affect users at some point when configuring an email client 
> which either defaults to 143 or 993 (or it might even not support 
> both).
>
>> And with SMTP we are confronted with a choice 25 or 465 or 587 ? We 
>> prefer 587 since it requires AUTH . . . but what about the security
>
> Port 587 is the standard for email submission (email client sending an 
> email) and is equivalent to 143 for IMAP (it uses STARTTLS). Port 465 
> is a mess (Microsoft), but some email clients might still expect it to 
> work (Microsoft). Port 465 is kind of equivalent to port 993, but in 
> practice I've seen servers using port 465 with STARTTLS making it 
> behave like port 587.
>
> You'll also need port 25 because this is the standard port used when 
> SMTP servers talk to eachother.
>
> In a perfect world, only ports 25, 143 and 587 would exist.

Actually, current guidance is to go for the implicit TLS ports (465 and 
993). See https://www.rfc-editor.org/rfc/rfc8314.html#section-3.

>> We have been googling but can’t seem to find the mail between the 
>> ports
>>
>> Thanks in advance for your thoughts and reflections,
>
> You'll probably get other opinions, but the important part is to 
> ensure that it's not possible to communicate on any port without 
> encryption enabled (with or without STARTTLS).
>
> Security-wise, it is more important that you look into which TLS 
> protocols you allow on the server, but I'm not qualified to make any 
> recommendations on that: 
> https://en.wikipedia.org/wiki/Transport_Layer_Security

Good info there. In addition to RFC 8314 above, you can also have a read 
of https://www.fastmail.com/help/technical/ssltlsstarttls.html. A good 
summary.

pr
-- 
Pete Resnick https://www.episteme.net/
All connections to the world are tenuous at best

Previous message (by thread): [MlMt] 143 or 993 . . . and security
Next message (by thread): [MlMt] 143 or 993 . . . and security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the mailmate mailing list