Page 1 of 2
STARTTLS everywhere
Posted: Sat Jun 30, 2018 9:38 am
by phoenix
Following on from their success with Let's Encrypt (and certbot) the Electronic Frontier Foundation have launched an initiative to get all mail server using STARTTLS - if you don't know what it is nor why it's important then I'd suggest you read their FAQ.
Go to the EFF website, read what this is about and check your server:
https://starttls-everywhere.org/
If you don't currently have any valid certificates on your server (i.e. you're still using the self-signed certificates from Zimbra) then I'd suggest you also read the great thread and instructions from Jim Dunphy in this thread:
viewtopic.php?f=15&t=60781 - make sure you follow that thread and implement valid certificates on your server.
Re: STARTTLS everywhere
Posted: Sat Jun 30, 2018 11:39 am
by ccelis5215
Hi Bill,
Thanks for the information.
Another excelent EFF inititative.
ccelis
Re: STARTTLS everywhere
Posted: Sat Jun 30, 2018 11:42 am
by phoenix
Hi
You're welcome.
Hopefully it will gain some traction in these forums.
Re: STARTTLS everywhere
Posted: Thu Aug 02, 2018 3:58 pm
by FredKarno
Yay, it's all green!
Just need to list my domain
Re: STARTTLS everywhere
Posted: Tue Nov 13, 2018 9:39 am
by qmoataz
Many Thanks to your post
Re: STARTTLS everywhere
Posted: Thu Jan 31, 2019 3:46 pm
by mhammett
It would help if Zimbra included setup of that in the admin UI.
Re: STARTTLS everywhere
Posted: Sat Feb 02, 2019 4:03 am
by spoole
Too bad this forum doesn't have a "like" button.
Re: STARTTLS everywhere
Posted: Thu Jul 11, 2019 12:39 pm
by FredKarno
Has anyone set up MTA-STS yet? It does seem like a bit of a chew!
Re: STARTTLS everywhere
Posted: Fri Sep 02, 2022 9:03 am
by rokoyato
Hi,
StartTLS is now deprecated, could you un-pin this post ?
Regards
Re: STARTTLS everywhere
Posted: Fri Sep 02, 2022 10:08 am
by ghen
STARTTLS hasn't been deprecated at all for SMTP MX. On the contrary, it's being actively promoted by newer standards like MTA-STS, DANE, and TLS-RPT ...
STARTTLS has been deprecated (or at least "unfavoured") for other protocols like POP3, IMAP, and SMTP
submission, by
RFC 8314, which now prefers the "implicit TLS" ports 465, 993, 995 ... for those protocols.
So in summary:
* Inbound SMTP (MX) => port 25 + optional STARTTLS, + MTA-STS and/or DANE to advertise your STARTTLS requirement to senders
* Enduser POP3/IMAP/SMTP-submission => ports 110 / 143 / 587 with STARTTLS are not recommended anymore, but keep them around for some time, with STARTTLS
required (no plaintext auth!)
* Enduser POP3/IMAP/SMTP-submission => ports 995 / 993 / 465 with implicit TLS nowadays preferred (again), this is what you should document towards your users
* Webmail => port 443 with HSTS (there has never been any STARTTLS for http), port 80 for redirect only (no plaintext webmail!)