On 03/11/2013 05:27 AM, Eero Volotinen wrote: > 2013/3/11 Robert Moskowitz <rgm at htt-consult.com>: >> On 03/11/2013 05:08 AM, Eero Volotinen wrote: >>>>> - Firewall and SELinux should be disabled. >>>> Bad advice. >>> this page also configures unsafe imap and pop settings. People should >>> always enable only ssl-enabled versions of imap and pop only. >> >> Just don't open those ports. Then they only work locally. For imap, that >> works well with the local imap webmail software. >> >> Why should a local squirelmail or roundcube server have to go through SSL to >> the local dovecot server? > why not? it is always wise to use encrypted protocols, when possible. If the system is so hacked that there is a risk of snooping on localhost, you have larger issues. And I develop cryptographic protocols. RIght now I am off to the IETF meeting. I understand what encrypted protocols give and what they don't. In this case, the user is validating the webmail cert for their TLS connection to webmail. They don't even see the dovecot cert. maybe it is the same cert or maybe not. But the point is it never gets to the user domain for validation. Further, it may well be the case that webmail uses a single TLS channel to dovecot for all users? Would have to look into that.