Open MarcelWaldvogel opened 3 years ago
To add my 2 cents: Since the publication of RFC8314 in Jan. 2018 the usage of STARTTLS for IMAP, POP3 and message submission is discouraged. "Implicit TLS" (as the standards calls it) should be used for these services.
So changing the default to STARTTLS would be a step backwards.
I was not aware of RFC8314. So feel free to give this issue low priority or close with WONTFIX.
It works fine with STARTTLS. But over Port 993. At least my Hoster tells me they are only offering STARTTLS. Port 143 as suggested by them gives an Error
993 should not support STARTTLS
. Instead, it is "Implicit TLS". Implicit TLS is what HTTPS does: Directly start the TLS handshake, and only after this is successful, send any date to the application-layer protocol.
STARTTLS instead starts with the application-layer protocol (in this case, IMAP
), so some handshaking/feature detection can be done there. If the client would like to switch to TLS, it issues the STARTTLS
command. Otherwise, they continue talking plaintext.
The IMAP client currently only supports TLS over the legacy SSL protocol (direct handshake to port 993). However, there are mail servers out there which do not support that (anymore), they insist on
STARTTLS
to port 143.The code change is easy (add a
starttls
flag; if this is set, the default port is 143 and callstarttls()
after connecting).However, I would like to discuss the transition semantics here. Right now, IMAPS is the default, due to default
ssl = True
.There are several options, e.g.:
ssl = False
implystarttls = True
(there should be no plaintext passwords out there anyway); however, this might break some installations.starttls = True
overridessl = True
andport = 993
defaults; then the default would be more complicated (requires handling that in a few places, probably and might cause user confusion)starttls = True
andport = 143
the new default.I would prefer 3, as this should be the standard today; however, using 2 would break fewer things, even though the code might be more complex. Opinions?
(Maybe has some interaction with #189)