Regarding Imap.StartTLS to establish IMAP with TLS

+1 vote

Hi Limilabs,

I'm really happy with your mail library, especially the IMAP client.

I have a question regarding this example from
https://www.limilabs.com/blog/use-tls12-with-imap

using (Imap imap= new Imap())
{
    imap.SSLConfiguration.EnabledSslProtocols 
        = SslProtocols.Tls12;

    imap.Connect("imap.example.com");
    imap.StartTLS();

    imap.UseBestLogin("user@example.com","password");

    // ...

    imap.Close();
}

I want to understand this pattern a bit better:

imap.Connect("imap.example.com");
imap.StartTLS();

First you connect to the server and then you initiate a TLS connection. Am I correct in assuming that imap.StartTLS() either succeeds in establishing a secure TLS connection or it fails and throws an exception?

If that's the case I guess this would be an effective guard against man-in-the-middle attacks, with the downside being the you can't connect to a server not supporting StartTLS, is that correct?
Thank in advance.

Best regards,
Eirik

by

1 Answer

0 votes
 
Best answer

First you connect to the server and then you initiate a TLS connection.
Correct.

Here's the sample for SMTP, the idea for IMAP is exactly the same:

Connecting to 'localhost:2525', SSL/TLS: False.
S: 220 ESMTP server ready
C: ...
S: ...
S: 250 STARTTLS
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
<here TLS/SSL negotiation happens, traffic below this line is encrypted>
C: ...

Am I correct in assuming that imap.StartTLS() either succeeds in establishing a secure TLS connection or it fails and throws an exception?

Correct.

If that's the case I guess this would be an effective guard against man-in-the-middle attacks,

Correct, as the server must present a valid certificate.

with the downside being the you can't connect to a server not supporting StartTLS, is that correct?

You can check if the server supports STARTTLS command before issuing StartTLS:

bool supportsStartTLS = imap.SupportedExtensions()
                .Contains(ImapExtension.StartTLS);

if (supportsStartTLS)
    imap.StartTLS();
by (301k points)
...