parsedmarc icon indicating copy to clipboard operation
parsedmarc copied to clipboard

Published 20 hours ago verified publisher icon domainaware

IMAP: Support STARTTLS

Open MarcelWaldvogel opened this issue 4 years ago • 4 comments

The IMAP client currently only supports TLS over the legacy SSL protocol (direct handshake to port 993). However, there are mail servers out there which do not support that (anymore), they insist on STARTTLS to port 143.

The code change is easy (add a starttls flag; if this is set, the default port is 143 and call starttls() after connecting).

However, I would like to discuss the transition semantics here. Right now, IMAPS is the default, due to default ssl = True.

There are several options, e.g.:

  1. Make ssl = False imply starttls = True (there should be no plaintext passwords out there anyway); however, this might break some installations.
  2. Make starttls = True override ssl = True and port = 993 defaults; then the default would be more complicated (requires handling that in a few places, probably and might cause user confusion)
  3. Make starttls = True and port = 143 the new default.

I would prefer 3, as this should be the standard today; however, using 2 would break fewer things, even though the code might be more complex. Opinions?

(Maybe has some interaction with #189)

MarcelWaldvogel avatar Dec 28 '20 15:12 MarcelWaldvogel

To add my 2 cents: Since the publication of RFC8314 in Jan. 2018 the usage of STARTTLS for IMAP, POP3 and message submission is discouraged. "Implicit TLS" (as the standards calls it) should be used for these services.

So changing the default to STARTTLS would be a step backwards.

Carbenium avatar Jan 25 '21 22:01 Carbenium

I was not aware of RFC8314. So feel free to give this issue low priority or close with WONTFIX.

MarcelWaldvogel avatar Feb 02 '21 17:02 MarcelWaldvogel

It works fine with STARTTLS. But over Port 993. At least my Hoster tells me they are only offering STARTTLS. Port 143 as suggested by them gives an Error

supaeasy avatar Feb 12 '21 20:02 supaeasy

993 should not support STARTTLS. Instead, it is "Implicit TLS". Implicit TLS is what HTTPS does: Directly start the TLS handshake, and only after this is successful, send any date to the application-layer protocol.

STARTTLS instead starts with the application-layer protocol (in this case, IMAP), so some handshaking/feature detection can be done there. If the client would like to switch to TLS, it issues the STARTTLS command. Otherwise, they continue talking plaintext.

MarcelWaldvogel avatar Feb 17 '21 15:02 MarcelWaldvogel