[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Do we need IMAP/TLS or POP/TLS?

When I started this mailing list, I knew that we would be talking about
SMTP over TLS and LDAP over TLS without having to use a second port for
each. Further, I assumed that we would also discuss doing similar work for
IMAP and POP over TLS.

However, in retrospect, it occurs to me that we might have good reason to
leave IMAP and POP over TLS on a separate port. The main reason we want a
single port for SMTP and LDAP is because clients do not necessarily have a
previous relationship with the servers, and thus won't know whether or not
to try the TLS port first if they want to do TLS.

IMAP and POP clients, however, by definition have a pre-existing
relationship with the server. That is, the server must know about them
before they attach, and therefore this prior knowledge can be used in
setting up the client.

The only exception I can think of is public, anonymous IMAP mailboxes. In
this case, however, you wouldn't be using TLS, since there is no
authentication and no need for privacy.

Thus, my current belief is that in situations where the client and server
have some prior knowledge of each other, having two ports is not bad. It
isn't good (we want to conserve ports), so new protocols should have both
their non-TLS and TLS done on one port if possible, but there doesn't seem
to be nearly as compelling a reason to create STARTLS-like commands for
IMAP and POP as there is for SMTP and LDAP.

Does this jive with what others are thinking?

--Paul E. Hoffman, Director
--Internet Mail Consortium