SSL, TLS, STARTTLS, Courier IMAP, Squirrelmail

I can’t find any good documentation on SSL/TLS and courier-imap’s imapd and imapd-ssl daemons, so I’m taking a crack at it. First, some background on TLS and SSL.

TLS is the newst version of SSL, ie. SSLv1 < SSLv2 < SSLv3 < TLSv1. So, TLS is actually better than SSL.

They work the same way…most of the time. SSL and TLS can both be negotiated as encrypted connections…meaning that the connection starts talking TLS or SSL as soon as it is made. This is what you’ll see over port 993 most of the time.

Additionally, TLS can begin AFTER the connection is made. That is, you would negotiate an unencrypted connection (say over the standard 143 IMAP port) discover that the server supports STARTTLS, send the STARTTLS command, and then begin speaking TLS.

Normally these finer points aren’t important, but if you’re trying to setup courier IMAP you can run into some glitches. Now, I’m running OpenBSD 3.7 with courier-imap-3.0.5p2 installed from the BSD ports tree. This is the operation I’ve observed on MY system, your mileage may vary.

the imapd-ssl.rc script runs a process that only speaks TLS or SSL, so you have to connect using SSL or TLS. This script does not implement STARTTLS. If you want to use STARTTLS, keep reading. the imad-ssl.rc script will run SSL or TLS over the port specified in SSLPORT (usually 993.

The courier documentation led me to believe that /etc/courier-imap/imapd-ssl only affects the behavior of the imapd-ssl process. This is not the case on my system. The STARTTLS settings in imapd-ssl affect the normal imapd process. If IMAPDSTARTTLS=YES, then starttls is advertised when the server advertises CAPABILITY. If IMAP_TLS_REQUIRED=1, then the client MUST send STARTTLS in order to login. If IMAP_TLS_REQUIRED=0, then STARTTLS is optional.

So, if you want to use STARTTLS, run imapd, but configure /etc/courier-imap/imapd-ssl. If you want SSL/TLS to begin immediately on connection, run imapd-ssl (still configure imapd-ssl, but the TLS settings won’t have any effect).

Squirremail doesn’t support STARTTLS, so you’ll need to either run TLS on port 993 (Squirrelmail doesn’t support SSL), or make STARTTLS optional on 143. STARTTLS optional means squirrelmail would be talking plainly to the server, this is BAD if your IMAP server is not localhost. I’m not aware of any security concerns for an unencrypted connection to localhost, though. PLEASE correct me if I’m wrong.

Quote

Dad: …And every time you open the hood, you should do a verbal inspection of everything…
Me: Verbal inspection? So like “Hi, Mr. Fan Belt, how are you? I’m fine, thanks…”

Quote

Seen today written on a toilet seat cover dispenser in a University of Washington bathroom:

“George W. campaign party hats”

 

Dietrich Bonhoeffer Quote

The Christian is not a homo religiosus but simply a man as Jesus (in distinction from John the Baptist) was a man…Not the flat and banal ‘This-sidedness’ of the Enlightened, of the deep ‘This-sidedness’ which is full of discipline and in which the knowledge of the Death and Resurrection is always present, this is what I mean. When a man really gives up trying to make something of himself–a saint, or a converted sinner, or a churchman (a so-called clerical somebody), a righteous or unrighteous man,…when in the fullness of tasks, questions, success or ill-hap, experiences and perplexities, a man throws him into the arms of God…then he awakes with Christ in Gethsemane. That is faith, that is metanoia and it is thus that he becomes a man and a Christian. How can a man wax arrogant if in a this-sided life he shares the suffering of God?

–Dietrich Bonhoeffer