This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.


SSL, TLS and STARTTLS confusion

SSL and TLS terms are often used in confusing ways:

Unfortunately there doesn't seem to be any clear and simple way to refer to these different meanings. SSL term is much more widely understood than TLS, so Dovecot configuration and this documentation only talks about SSL when in fact it means both SSL/TLS.

Originally SSL support was added to protocols by giving them a separate "SSL port" (imaps, pop3s, etc.), where the SSL handshake starts immediately when client connects, and only after the session is encrypted the regular protocol handling begins. Using two separate ports for plaintext and SSL connections was thought to be wasteful and adds complexity for clients which may wish to make use of SSL when it is advertised, so STARTTLS command was added and intended to deprecate the SSL ports. Clients using STARTTLS work by connecting to the regular unencrypted port and immediately issue a STARTTLS command, after which the session is encrypted. After SSL handshake there is no difference between SSL port initiated connections and STARTTLS initiated connections.

SSL port deprecation never really happened, probably because of a few reasons:

None: SSL (last edited 2017-06-28 08:06:58 by ptr-g0uqpbhk1u8g3cvufrm)