STARTTLS everywhere
STARTTLS everywhere
Following on from their success with Let's Encrypt (and certbot) the Electronic Frontier Foundation have launched an initiative to get all mail server using STARTTLS - if you don't know what it is nor why it's important then I'd suggest you read their FAQ.
Go to the EFF website, read what this is about and check your server: https://starttls-everywhere.org/
If you don't currently have any valid certificates on your server (i.e. you're still using the self-signed certificates from Zimbra) then I'd suggest you also read the great thread and instructions from Jim Dunphy in this thread: viewtopic.php?f=15&t=60781 - make sure you follow that thread and implement valid certificates on your server.
Go to the EFF website, read what this is about and check your server: https://starttls-everywhere.org/
If you don't currently have any valid certificates on your server (i.e. you're still using the self-signed certificates from Zimbra) then I'd suggest you also read the great thread and instructions from Jim Dunphy in this thread: viewtopic.php?f=15&t=60781 - make sure you follow that thread and implement valid certificates on your server.
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
Re: STARTTLS everywhere
Hi Bill,
Thanks for the information.
Another excelent EFF inititative.
ccelis
Thanks for the information.
Another excelent EFF inititative.
ccelis
Re: STARTTLS everywhere
Hi
You're welcome.
Hopefully it will gain some traction in these forums.
You're welcome.
Hopefully it will gain some traction in these forums.
Re: STARTTLS everywhere
Yay, it's all green!
Just need to list my domain
Just need to list my domain
Re: STARTTLS everywhere
Many Thanks to your post
-
- Advanced member
- Posts: 133
- Joined: Sat Jul 19, 2014 7:07 am
- ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U
Re: STARTTLS everywhere
It would help if Zimbra included setup of that in the admin UI.
Re: STARTTLS everywhere
Too bad this forum doesn't have a "like" button.
Re: STARTTLS everywhere
Has anyone set up MTA-STS yet? It does seem like a bit of a chew!
Re: STARTTLS everywhere
Hi,
StartTLS is now deprecated, could you un-pin this post ?
Regards
StartTLS is now deprecated, could you un-pin this post ?
Regards
-
- Outstanding Member
- Posts: 265
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: STARTTLS everywhere
STARTTLS hasn't been deprecated at all for SMTP MX. On the contrary, it's being actively promoted by newer standards like MTA-STS, DANE, and TLS-RPT ...
STARTTLS has been deprecated (or at least "unfavoured") for other protocols like POP3, IMAP, and SMTP submission, by RFC 8314, which now prefers the "implicit TLS" ports 465, 993, 995 ... for those protocols.
So in summary:
* Inbound SMTP (MX) => port 25 + optional STARTTLS, + MTA-STS and/or DANE to advertise your STARTTLS requirement to senders
* Enduser POP3/IMAP/SMTP-submission => ports 110 / 143 / 587 with STARTTLS are not recommended anymore, but keep them around for some time, with STARTTLS required (no plaintext auth!)
* Enduser POP3/IMAP/SMTP-submission => ports 995 / 993 / 465 with implicit TLS nowadays preferred (again), this is what you should document towards your users
* Webmail => port 443 with HSTS (there has never been any STARTTLS for http), port 80 for redirect only (no plaintext webmail!)
STARTTLS has been deprecated (or at least "unfavoured") for other protocols like POP3, IMAP, and SMTP submission, by RFC 8314, which now prefers the "implicit TLS" ports 465, 993, 995 ... for those protocols.
So in summary:
* Inbound SMTP (MX) => port 25 + optional STARTTLS, + MTA-STS and/or DANE to advertise your STARTTLS requirement to senders
* Enduser POP3/IMAP/SMTP-submission => ports 110 / 143 / 587 with STARTTLS are not recommended anymore, but keep them around for some time, with STARTTLS required (no plaintext auth!)
* Enduser POP3/IMAP/SMTP-submission => ports 995 / 993 / 465 with implicit TLS nowadays preferred (again), this is what you should document towards your users
* Webmail => port 443 with HSTS (there has never been any STARTTLS for http), port 80 for redirect only (no plaintext webmail!)
Last edited by ghen on Fri Sep 02, 2022 10:18 am, edited 2 times in total.