STARTTLS everywhere

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

STARTTLS everywhere

Post by phoenix »

Following on from their success with Let's Encrypt (and certbot) the Electronic Frontier Foundation have launched an initiative to get all mail server using STARTTLS - if you don't know what it is nor why it's important then I'd suggest you read their FAQ.

Go to the EFF website, read what this is about and check your server: https://starttls-everywhere.org/

If you don't currently have any valid certificates on your server (i.e. you're still using the self-signed certificates from Zimbra) then I'd suggest you also read the great thread and instructions from Jim Dunphy in this thread: viewtopic.php?f=15&t=60781 - make sure you follow that thread and implement valid certificates on your server.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 632
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12

Re: STARTTLS everywhere

Post by ccelis5215 »

Hi Bill,

Thanks for the information.

Another excelent EFF inititative.

ccelis
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: STARTTLS everywhere

Post by phoenix »

Hi

You're welcome. :)

Hopefully it will gain some traction in these forums.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
FredKarno
Posts: 49
Joined: Sat Oct 10, 2015 5:40 am

Re: STARTTLS everywhere

Post by FredKarno »

Yay, it's all green!
Just need to list my domain :)
qmoataz
Posts: 10
Joined: Mon Nov 12, 2018 6:56 am

Re: STARTTLS everywhere

Post by qmoataz »

Many Thanks to your post
mhammett
Advanced member
Advanced member
Posts: 133
Joined: Sat Jul 19, 2014 7:07 am
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U

Re: STARTTLS everywhere

Post by mhammett »

It would help if Zimbra included setup of that in the admin UI.
spoole
Posts: 20
Joined: Sat Sep 13, 2014 3:22 am

Re: STARTTLS everywhere

Post by spoole »

Too bad this forum doesn't have a "like" button. :)
FredKarno
Posts: 49
Joined: Sat Oct 10, 2015 5:40 am

Re: STARTTLS everywhere

Post by FredKarno »

Has anyone set up MTA-STS yet? It does seem like a bit of a chew!
rokoyato
Advanced member
Advanced member
Posts: 86
Joined: Mon Jun 29, 2020 9:12 am

Re: STARTTLS everywhere

Post by rokoyato »

Hi,

StartTLS is now deprecated, could you un-pin this post ?

Regards
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: STARTTLS everywhere

Post by ghen »

STARTTLS hasn't been deprecated at all for SMTP MX. On the contrary, it's being actively promoted by newer standards like MTA-STS, DANE, and TLS-RPT ...

STARTTLS has been deprecated (or at least "unfavoured") for other protocols like POP3, IMAP, and SMTP submission, by RFC 8314, which now prefers the "implicit TLS" ports 465, 993, 995 ... for those protocols.

So in summary:

* Inbound SMTP (MX) => port 25 + optional STARTTLS, + MTA-STS and/or DANE to advertise your STARTTLS requirement to senders
* Enduser POP3/IMAP/SMTP-submission => ports 110 / 143 / 587 with STARTTLS are not recommended anymore, but keep them around for some time, with STARTTLS required (no plaintext auth!)
* Enduser POP3/IMAP/SMTP-submission => ports 995 / 993 / 465 with implicit TLS nowadays preferred (again), this is what you should document towards your users
* Webmail => port 443 with HSTS (there has never been any STARTTLS for http), port 80 for redirect only (no plaintext webmail!)
Last edited by ghen on Fri Sep 02, 2022 10:18 am, edited 2 times in total.
Post Reply