qknight
commented
5 years ago probably everyone uses TLS by default i'd imagine. what do you propose?
Open fgaz opened 5 years ago
qknight
commented
5 years ago probably everyone uses TLS by default i'd imagine. what do you propose?
fgaz
commented
5 years ago probably everyone uses TLS by default i'd imagine
I don't think so. For example, iRedMail seems to expose an unencrypted (well, until the client does a STARTTLS (and most clients enforce it)) managesieve:
https://docs.iredmail.org/network.ports.html
And so does mailinabox:
https://mailinabox.email/static/architecture.svg
Also every client I tried only supports STARTTLS, but I didn't try many. Do you use one that supports TLS?
Finally, the RFC only mentions STARTTLS (contrary to the SMTP and IMAP ones):
https://tools.ietf.org/html/rfc5804#section-2.2
what do you propose?
Maybe a managesieveEncryptionMethod flag that can be "STARTTLS" or "TLS" (or "none") and defaults to "STARTTLS". Also two separate ports like it's done for IMAP/SMTP are ok, but the RFC does not specify a standard port for managesieve over TLS
qknight
commented
5 years ago with TLS i also meant STARTTLS but now i notice the difference. would you want to create a PR for this?
fgaz
commented
5 years ago Sure, just assign the issue to me so I don't forget it. I'm rather busy atm, so this will have to wait a bit.
24101d6ab9c305d26562ffb16d36b7fd242bf690 (#45) enabled SSL by default on managesieve (port 4190), but as far as I understand no plaintext alternative port is provided, so STARTTLS is not possible.
Since the managesieve spec does not define a SSL port, some managesieve clients (claws mail and sieve-connect for example) only support STARTTLS, and have no way to connect to the nixcloud-webservices' managesieve server (unless encryption is disabled altogether with
enableTLS = false;).