The RFC 8314,
recently published, recommends that mail servers use "implicit TLS"
(automatic use of TLS on a dedicated TCP port) rather than "explicit
TLS" (use of TLS triggered by STARTTLS
or similar on
otherwise cleartext standard TCP port) on all user-facing services (mail
submission with SMTP and mail retrieval with POP or IMAP).
My own server, mail.incenp.org, was configured to offer only explicit TLS both for submission (on TCP port 587) and for mail retrieval (on standard IMAP TCP port 143). I describe here how to transition to the implicit TLS situation recommended by RFC 8314.
In addition to the obvious changes that need to be made to the configuration of the SMTP and IMAP servers (Postfix and Dovecot, respectively), there are several other things to update:
_imaps.incenp.org
and
_submissions.incenp.org
);_imaps._tcp.incenp.org
and
_submissions._tcp.incenp.org
, and TLSA records for
_465._tcp.mail.incenp.org
and
_993._tcp.mail.incenp.org
).I suggest the following order:
The server is now in a “transitional state”, in which it offers both implicit TLS on ports 465 and 993, and explicit TLS on ports 587 and and 143. To reach the final state recommended by RFC 8314, in which only implicit TLS is offered:
_imap._tcp.incenp.org
and _submission._tcp.incenp.org
.