SSL, TLS, STARTTLS, Courier IMAP, Squirrelmail

I can’t find any good documentation on SSL/TLS and courier-imap’s imapd and imapd-ssl daemons, so I’m taking a crack at it. First, some background on TLS and SSL.

TLS is the newst version of SSL, ie. SSLv1 < SSLv2 < SSLv3 < TLSv1. So, TLS is actually better than SSL.

They work the same way…most of the time. SSL and TLS can both be negotiated as encrypted connections…meaning that the connection starts talking TLS or SSL as soon as it is made. This is what you’ll see over port 993 most of the time.

Additionally, TLS can begin AFTER the connection is made. That is, you would negotiate an unencrypted connection (say over the standard 143 IMAP port) discover that the server supports STARTTLS, send the STARTTLS command, and then begin speaking TLS.

Normally these finer points aren’t important, but if you’re trying to setup courier IMAP you can run into some glitches. Now, I’m running OpenBSD 3.7 with courier-imap-3.0.5p2 installed from the BSD ports tree. This is the operation I’ve observed on MY system, your mileage may vary.

the imapd-ssl.rc script runs a process that only speaks TLS or SSL, so you have to connect using SSL or TLS. This script does not implement STARTTLS. If you want to use STARTTLS, keep reading. the imad-ssl.rc script will run SSL or TLS over the port specified in SSLPORT (usually 993.

The courier documentation led me to believe that /etc/courier-imap/imapd-ssl only affects the behavior of the imapd-ssl process. This is not the case on my system. The STARTTLS settings in imapd-ssl affect the normal imapd process. If IMAPDSTARTTLS=YES, then starttls is advertised when the server advertises CAPABILITY. If IMAP_TLS_REQUIRED=1, then the client MUST send STARTTLS in order to login. If IMAP_TLS_REQUIRED=0, then STARTTLS is optional.

So, if you want to use STARTTLS, run imapd, but configure /etc/courier-imap/imapd-ssl. If you want SSL/TLS to begin immediately on connection, run imapd-ssl (still configure imapd-ssl, but the TLS settings won’t have any effect).

Squirremail doesn’t support STARTTLS, so you’ll need to either run TLS on port 993 (Squirrelmail doesn’t support SSL), or make STARTTLS optional on 143. STARTTLS optional means squirrelmail would be talking plainly to the server, this is BAD if your IMAP server is not localhost. I’m not aware of any security concerns for an unencrypted connection to localhost, though. PLEASE correct me if I’m wrong.

One Reply to “SSL, TLS, STARTTLS, Courier IMAP, Squirrelmail”

Comments are closed.