ssl/tls and starttls [50%]

This forum contains features that has been archived. This section contains implemented features, duplicate requests, and requests which we have decided not to implement.

Do you need this feature?

Yes
151
100%
No
0
No votes
 
Total votes: 151

vmgracia
New user
New user
Posts: 3
Joined: 2009-06-26 10:48

ssl/tls and starttls [50%]

Post by vmgracia » 2009-06-27 13:04

i'm very insterested to know if some implementation of ssl/tls and starttls, at least over smtp, is included on the development roadmap.

User avatar
martin
Developer
Developer
Posts: 6835
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: ssl/tls and starttls

Post by martin » 2009-06-27 17:00


vmgracia
New user
New user
Posts: 3
Joined: 2009-06-26 10:48

Re: ssl/tls and starttls

Post by vmgracia » 2009-06-28 11:54

following the instructions of the 'feature implementation rules' page I have consulted the 'vote resulting page' and I have not found any mention to ssl/tls implementation request.
I not sure if is necessary to create a new topic requesting this new option or would be ok this one?
anyway I would like to know if this feature is planned to be implemented into short / medium time term or is not yet considered.

cheers

User avatar
mattg
Moderator
Moderator
Posts: 19883
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ssl/tls and starttls

Post by mattg » 2009-06-28 15:53

This on e would be OK, Add a poll at the top.

Features aren't implemented typically until their associated request gets to the top of that list. So, I'd guess no time soon.

You know SSL is included from Ver5 right? Just no mention yet of TLS
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

vmgracia
New user
New user
Posts: 3
Joined: 2009-06-26 10:48

Re: ssl/tls and starttls

Post by vmgracia » 2009-06-28 18:42

mattg wrote:This on e would be OK, Add a poll at the top.
how i'm able to add a poll at the top???
mattg wrote:You know SSL is included from Ver5 right? Just no mention yet of TLS.
i know SSL are available but i'm requesting a diferent fuctions (ssl/tls and starttls). Some times it is very useful to have the possibility to create a SMTP ssl session using the port 25 and starttls commands (normally it is a server2server communication) while the SMTP port 25 still works without force ssl conections (client2server) and just this moment this feature is not available within Ver5. also apply to pop3 and imap4 but normally this communication is only client2server and the use of two direrent ports (one for ssl and another for nonssl) would be good enough

rockandroller
New user
New user
Posts: 1
Joined: 2009-11-25 10:32

Re: ssl/tls and starttls

Post by rockandroller » 2009-11-25 10:54

I'd really like to see TLS authentication for SMTP. :D

I'm in an 'internet hellhole' (Moscow!) and it's very hard to get emails out (many email servers around the globe reject mail coming from Moscow subnets due to "bad reputation").

"RECEIVED: 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."

I've tried several Moscow ISP's and all of them are too lazy to get themselves un-blacklisted. The largest provider in town has it's main SMTP server MISCONFIGURED (wrong HELO machine name!) and after a week of talking to top managers asking them to take the 30 seconds required fix it, it was still fruitless.

I do manage to send personal emails via GMAIL SMTP with my local copy of Thunderbird but it needs TLS authentication. (supported by Thunderbird, thankfully!)

If hMailServer would add TLS authentication then I could use a local copy of it to do sendmail (relayed through GMAIL SMTP) from my local development webserver... (this would be very helpful for development work)

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: ssl/tls and starttls

Post by ^DooM^ » 2009-11-25 11:02

You can relay through gmail using SSL you do not need tls and as it is local to you can just connect normally. I agree it would be cool to have but in your case it is not needed to do what you want.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2009-11-25 18:20

rockandroller wrote:I do manage to send personal emails via GMAIL SMTP with my local copy of Thunderbird but it needs TLS authentication. (supported by Thunderbird, thankfully!)
Don't confuse TLS with StartTLS. In Thunderbird v2 StartTLS is called TLS and TLS connections are called SSL. Thunderbird v3 fixed it.

Gmail does not require StartTLS support. They also support SMTP-over-SSL and most of "SSL" servers you connect to are actually TLSv1 servers.

gmail officially supported SMTP-over-SSL even before opening MSA port. If you use smtp.gmail.com on 587 port, you might need starttls support, because if I remember correctly MSA RFC requires it. If you use smtp.gmail.com on 465 port, you don't need starttls, because using starttls on connection already encrypted with TLS is stupid and against starttls rfc.

tadpole
New user
New user
Posts: 3
Joined: 2010-04-20 13:29

Re: ssl/tls and starttls

Post by tadpole » 2010-05-07 19:55

Support for Explicit SSL SMTP - moved from development thread

Background/recap:
- Explicit SSL SMTP: uses two ports, 25(fixed) to start connection then switches(via STARTTLS) to submission port 587(variable) for SSL encrypted channel communication (Reg: RFC 3207)
- Implicit SSL SMTP: uses one port (default 587) for all communication – for both auth and data transfer.

Restrictions/Limitations:
Explicit SSL is unfortunately the only type supported by .NET framework System.Net.Mail assembly. (historical note: asp V1 supported an unstable system.web.mail assembly that handled both Implicit & Explicit SSL).

Prior key discussions hMailServer:
2007-5-20 Martain
That would require explicit SSL support which I hopefully will be able to add without to much work either. If you configure a specific port to use SSL, any client connecting to this port must use SSL as it works now.

Questions:
1) Any progress/issues related to this feature, will it be released this year (2010)?
2) Is they a possible workaround/vbscript etc that might fill the gap and allow support for Implicit SSL?

For what it’s worth, I think this issue may become more prevalent as the SaaS/Cloud model gains traction as Explicit SSL is following strict compliance to reg standards.

Related Threads
1) Link1
2) Link2
3) Link3

Related Regulations:
1) RFC 3207

atsak
Normal user
Normal user
Posts: 35
Joined: 2005-05-03 20:38

Re: ssl/tls and starttls

Post by atsak » 2010-06-17 21:41

Pardon my ignorance, but I can't clearly see if starttls (during the SMTP port 25 conversation) is supported yet. I have a client that must have it, so I need to know if I can make it work or if I need to use a Windows SMTP service that forwards to the hmailserver engine to accomodate the starttls requirement.

Thanks.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2010-06-17 22:40

atsak wrote:Pardon my ignorance, but I can't clearly see if starttls (during the SMTP port 25 conversation) is supported yet. I have a client that must have it, so I need to know if I can make it work or if I need to use a Windows SMTP service that forwards to the hmailserver engine to accomodate the starttls requirement.

Thanks.
StartTLS extension is not supported in current stable hMailServer version.

kmwade
New user
New user
Posts: 15
Joined: 2007-07-06 00:21

Re: ssl/tls and starttls

Post by kmwade » 2010-08-13 18:11

Implicit TLS/SSL has worked fine for local user connections. Opportunistic TLS is necessary for server-to-server communication. For awhile this was only necessary for banks and so forth, but it has begun to hit smaller folks like independent insurance agents. All of the commercial servers support this now, and many of them do not support implicit SSL (eg. port 465.) The great thing about it is that you can use it if it's available:
1. Connect to port 25 and send EHLO.
2. Examine reply to see if STARTTLS is supported.
3. If it is, execute STARTTLS command. Connection then switches to TLS secured. No need to try a connection to another port first.

I already have one small customer who is required to move to this for a vendor, or relegate all communications with that vendor to post, phone, or fax. This means we will need to move from hMS to Exchange. :( For the record, I use hMS because it is better than Exchange for small businesses, not just because it is free.

atsak
Normal user
Normal user
Posts: 35
Joined: 2005-05-03 20:38

Re: ssl/tls and starttls

Post by atsak » 2010-08-13 18:34

It is necessary these days for lots of customers. So I would suggest, if I may be so bold, that it should make its way up the development list.

I've unfortunately migrated off hmailserver for the time being due to this requirement. It's a shame because it's otherwise exactly what I need.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2010-08-13 20:18

atsak wrote:It is necessary these days for lots of customers.
SMTP/IMAP4/POP3 over SSL work for customers too. In server to server communications StartTLS is totally useless. Attacker can put proxy which filters StartTLS and incoming servers will revert to plain SMTP/POP3/IMAP4. If you want to secure your emails, it is not done with StartTLS.

DeusRus
New user
New user
Posts: 1
Joined: 2010-05-26 10:34

Re: ssl/tls and starttls

Post by DeusRus » 2010-09-08 09:34

I too will refuse usage hMailServer if don't appear Starttls. It is a pity. :(

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2010-09-08 10:06

DeusRus wrote:I too will refuse usage hMailServer if don't appear Starttls. It is a pity. :(
Please name StartTLS features that can't be replaced with TLS.

Encryption does not improve email security. You need PGP or SMIME for that.

Starting TLS on plain text connection does not improve server-to-server communication security. Servers can't require StartTLS on all SMTP connections and can't require signed certs on all connections. If feature is not required, cracker can bypass it.

Email clients don't care if they have to use TLS or StartTLS. Only ports are different and some email programs switch ports to correct values, if user changes from plain text to SSL.

User avatar
pepsi
Senior user
Senior user
Posts: 419
Joined: 2008-08-21 20:58
Location: Netherlands

Re: ssl/tls and starttls

Post by pepsi » 2010-09-10 16:38

more and more mailserver drop connection is startTLS is not supported.
I hope that HMS will have this feature in the near future

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2010-09-10 18:05

pepsi wrote:more and more mailserver drop connection is startTLS is not supported.
I hope that HMS will have this feature in the near future
Can you prove it? Which SMTP servers require StartTLS on default SMTP port in default configuration?

User avatar
pepsi
Senior user
Senior user
Posts: 419
Joined: 2008-08-21 20:58
Location: Netherlands

Re: ssl/tls and starttls

Post by pepsi » 2010-09-13 11:35

most banks in the Netherlands.
they drop connection is datacommunication between servers is encrypted. or even if starttls is used, but with a weak chipper also connection is dropped.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2010-09-13 12:05

pepsi wrote:most banks in the Netherlands.
dnb.nl, amro.nl, asnbank.nl - primary mx accepted rcpt to: and mail from: without starttls. StartTLS is declared.
fortisbank.nl - primary mx is firewalled or dead, secondary mx does not have StartTLS support.
If StartTLS is required, they should not accept any commands except ehlo/helo before connection is secured.

Maybe I am looking at wrong banks, but none out of four does not fit definition of "most". StartTLS does not increase security of server-to-server communications. It does not protect against MITM attacks unless servers start requiring signed certificates. Anyone, who does not (or would never) use some self-signed certificate on some place, raise your hand. Any server admin requiring StartTLS on standard MX SMTP port should learn more about security and email servers.

User avatar
pepsi
Senior user
Senior user
Posts: 419
Joined: 2008-08-21 20:58
Location: Netherlands

Re: ssl/tls and starttls

Post by pepsi » 2010-09-13 13:59

dzekas wrote: Any server admin requiring StartTLS on standard MX SMTP port should learn more about security and email servers.
It is not the admin but the security officers that are requiering that only starttls is allowed

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2010-09-13 14:05

pepsi wrote:
dzekas wrote: Any server admin requiring StartTLS on standard MX SMTP port should learn more about security and email servers.
It is not the admin but the security officers that are requiering that only starttls is allowed
You missed quotes in "security officers". I am not security expect, but I can tell that such security is useless.

ldsandon
New user
New user
Posts: 21
Joined: 2006-04-03 11:24

Re: ssl/tls and starttls

Post by ldsandon » 2010-10-07 00:07

Yes, almost any security is useless because you can devise an attack against it. The problem is how easy is to perform that attack. STARTTLS is surely not the best protection method, but it is far better than sending mail (and passwords) in cleartext - although you can't rely only on it if you need full end-to-end protection.
Why support plain SSL then? If you can proxy a mail server, you can probably fake its certificates as well and hijack the session, especially if the server uses self-signed certificates instead of "real" ones. Drop SSL support, then, please :D
There are also the issue of what ports are allowed on the firewalls you have to cross. I am using hMailServer on a rented virtual server for my personal mail. The provider only open standard ports (25/110/143) and not the SSL ones. I asked them if it was possible to have them open, and the answer was "no, use standard ports and STARTTLS, that's the only configuration we support on virtual servers".
If STARTTLS support is not in current plans it's ok, but don't say it is "useless". Nondum matura est?

User avatar
yon
Normal user
Normal user
Posts: 129
Joined: 2009-11-06 10:44

Re: ssl/tls and starttls

Post by yon » 2011-03-26 23:38

Have any easy creat SSL way? like altn mdaemon easy creat it.
IPv6 Email Public Service www.ipv6china.com World's first

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2011-03-26 23:52

yon wrote:Have any easy creat SSL way? like altn mdaemon easy creat it.
You can use SMTP-over-SSL, POPS or IMAPS to secure user passwords.

atsak
Normal user
Normal user
Posts: 35
Joined: 2005-05-03 20:38

Re: ssl/tls and starttls

Post by atsak » 2011-03-27 00:01

Still need starttls; unfortunate to have to stick an IIS SMTP server in between.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2011-10-29 19:03

Are any email clients defaulting to StartTLS enabled yet? I do know Apple people have the hardest time getting setup for email here due to default settings but not sure if StartTLS is one of them although I do believe 'secured' or such is. Anyway since I don't try/use every email client in world I was curious of:
* Which email clients can use StartTLS
* If any default to it being enabled
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2011-10-29 19:05

Bill48105 wrote:Are any email clients defaulting to StartTLS enabled yet?
Thunderbird v.2.0 defaulted to "use if possible", if I remember correctly.
Bat! - starttls and tls. defaults to plain
Columba - optional. not enabled by default and called ..... TLS.
Some webmails can use starttls.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2011-10-29 20:15

dzekas wrote:
Bill48105 wrote:Are any email clients defaulting to StartTLS enabled yet?
Thunderbird v.2.0 defaulted to "use if possible", if I remember correctly.
Bat! - starttls and tls. defaults to plain
Columba - optional. not enabled by default and called ..... TLS.
Some webmails can use starttls.
Thanks dzekas!

Personal feelings on usefulness (or how much security it may or may not add) of it aside, I'm thinking between # of votes for it & email client support (in particular if/when email clients are defaulting to enabled or testing for it) then this feature needs to be looked at more seriously. I had spent some time looking at the 5.4 source to see how hard it'd be to add & from what I can tell it'd be a major undertaking but I need to better understand how StartTLS works before I could say for sure. Either way I think this is in top 5 or so of my to-do wish list even if I'm not sure I have a single user who'd use it, seems others do.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2011-10-29 22:14

Bill48105 wrote:I had spent some time looking at the 5.4 source to see how hard it'd be to add & from what I can tell it'd be a major undertaking but I need to better understand how StartTLS works before I could say for sure. Either way I think this is in top 5 or so of my to-do wish list even if I'm not sure I have a single user who'd use it, seems others do.
Bill
Main problem is understanding how to turn on encryption on open socket in used programming language. Rest is in 2595 and 3207 RFCs.

Client part was pretty simple once PHP got appropriate openssl functions.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2011-10-29 22:40

dzekas wrote:Main problem is understanding how to turn on encryption on open socket in used programming language. Rest is in 2595 and 3207 RFCs.
Agreed 100%. After researching the hmail code I ran it by martin awhile back since from what I could tell encryption was either on or off from time listen socket is created & wasn't sure how to make it toggle on later unless there is a function or such. Maybe once TLS command is given binary is assumed on that connection & just a matter of calling right functions & piping binary vs text or maybe somehow connection gets moved to an encrypted socket but I'd need to research more. I don't recall if that was something I received a response from him on or not but will have to ask again if I can't find needed info.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2011-10-29 23:13

LOL wow all it takes is reading of the RFC's & this wikipedia article to can see why TLS implementation in hmail has been avoided:
http://en.wikipedia.org/wiki/Transport_Layer_Security

Why couldn't it have been something simple like the server referring the client to an SSL-enabled port? LOL (I realize TLS is more than that but just saying)

Not sure I'm gonna try & tackle TLS anytime soon unless we can find a library that greatly simplifies it..
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

atsak
Normal user
Normal user
Posts: 35
Joined: 2005-05-03 20:38

Re: ssl/tls and starttls

Post by atsak » 2011-10-29 23:52


Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2011-10-30 00:30

Cool thanks atsak. Will have to check it out. One of the biggest considerations (besides licensing) is that since hmail uses boost for connections whatever is used needs to work with boost without some major rewriting of code.

Something else that I've looked into is using ASSP as front end to handle the TLS. It is my understanding that ASSP v2 can work that way, with the back-end server not supporting TLS & ASSP acting as 'middle man'. As long as ASSP was on the same server or on same network at least it would provide a reasonably secure solution for people needing StartTLS. (The idea was to have hmail setup like normal but ASSP setup on special port & ONLY handle that special port pointed to a local-only port on hmail specific for that. ASSP's anti-spam features could be optionally used although some likely required if ASSP's IP was set in hmail iprange in such a way to allow spam but I'd require authentication to get around that)

Anyway thanks for the find & we'll see if it it proves useful.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Noobert
New user
New user
Posts: 3
Joined: 2012-05-23 15:04

Re: ssl/tls and starttls

Post by Noobert » 2012-05-23 16:37

I need STARTTLS, because our partners require it.

A technical discussion about the usefulness of STARTTLS is not necessary. Meanwhile STARTTLS is a 'must to have' for all MTAs. Most of major companies are using this service.

Does anyone know an easy to configure mailserver or mailgateway with STARTTLS?
hmailserver does not support STARTTLS, therefore is it not useful.

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: ssl/tls and starttls

Post by ^DooM^ » 2012-05-23 19:33

Noobert wrote:Does anyone know an easy to configure mailserver or mailgateway with STARTTLS?
Exchange.
Noobert wrote:hmailserver does not support STARTTLS, therefore is it not useful.
If you say so ;)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
katip
Senior user
Senior user
Posts: 662
Joined: 2006-12-22 07:58
Location: Istanbul

Re: ssl/tls and starttls

Post by katip » 2012-05-24 04:49

Noobert wrote: Does anyone know an easy to configure mailserver or mailgateway with STARTTLS?
You may want to put ASSP in front of HMS. A superb antispam will be your bonus ;)
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
mattg
Moderator
Moderator
Posts: 19883
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ssl/tls and starttls

Post by mattg » 2012-05-24 08:32

^DooM^ wrote:
Noobert wrote:Does anyone know an easy to configure mailserver or mailgateway with STARTTLS?
Exchange
Exchange easy to configure - you're joking.

I have Exchange 2010 at work, and I would just as soon be rid of it. By crikey it is complicated and convoluted. You should try finding the logs and making sense of them...

Give me hMailserver anytime. :mrgreen: :mrgreen:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Noobert
New user
New user
Posts: 3
Joined: 2012-05-23 15:04

Re: ssl/tls and starttls

Post by Noobert » 2012-05-24 09:21

katip wrote:
Noobert wrote: Does anyone know an easy to configure mailserver or mailgateway with STARTTLS?
You may want to put ASSP in front of HMS. A superb antispam will be your bonus ;)
That looks good! I'll test it. Thank you for this suggestion.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2012-05-24 17:34

katip wrote:
Noobert wrote: Does anyone know an easy to configure mailserver or mailgateway with STARTTLS?
You may want to put ASSP in front of HMS. A superb antispam will be your bonus ;)
Ya know I've used ASSP for years & just recently found it can be 'man in the middle' for starttls to hmail but i've not actually tried it. Supposedly it works though so good idea recommending that! Let us know how it goes Noobert. Maybe you can give steps to help others too. :)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2012-05-24 17:38

Bill48105 wrote:Ya know I've used ASSP for years & just recently found it can be 'man in the middle' for starttls to hmail
Starttls needs both client and server support. ASSP will cover only server part.

User avatar
katip
Senior user
Senior user
Posts: 662
Joined: 2006-12-22 07:58
Location: Istanbul

Re: ssl/tls and starttls

Post by katip » 2012-05-24 18:46

dzekas wrote:Starttls needs both client and server support. ASSP will cover only server part.
ASSP GUI wrote:How to Handle STARTTLS Requests (DoTLS)

If set to "drop TLS", any STARTTLS request will be removed from the protocol stack and no connection will ever go in to any TLS mode!
If set to "TLS to Proxy" and both peers (client and server) supports TLS, both connection will be moved in to a transparent Proxy mode. All data will be encrypted and unreadable to ASSP.
If set to "do TLS", ASSP will be the "man in the middle". ASSP will try to move both connections in to TLS. All data will be readable to ASSP - so all checks could be done. If any of the peers does not support TLS, ASSP will fake this (250-STARTTLS) to the other peer. So it could be possible, that the connection to the client is going in to TLS mode, even if TLS is not supported by the server. If a client does not request TLS (STARTTLS) even it has got the (250-STARTTLS), ASSP tries to start a TLS session to server, if he has sent (250-STARTTLS)! This behavior belongs to incoming and outgoing messages. This option requires the installed perl module IO::Socket::SSL!
For "do TLS" a server-certificate-file " SSLCertFile " and a server-key-file " SSLKeyFile " must exist and must be valid!
If you do not have valid certificates, you may generate both files online with http://www.mobilefish.com or you may use OpenSSL to generate Self-signed SSL certificates! If you have installed OpenSSL (must be in PATH) and installed and enabled IO::Socket::SSL and ASSP is unable to find valid certificates - ASSP will try to create them at startup!
I hope that's good enough for Noobert.
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2012-05-24 20:45

dzekas wrote:
Bill48105 wrote:Ya know I've used ASSP for years & just recently found it can be 'man in the middle' for starttls to hmail
Starttls needs both client and server support. ASSP will cover only server part.
Umm you lost me there.. The email client is the client.. :D Maybe you meant public servers sending? Not sure but assp proxies the SSL & handles the starttls since hmail doesn't support & ends up unencrypted between assp & hmail.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2012-05-24 20:46

Cool thanks katip. LOL looks like you pasted the help from the assp web admin. :D
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2012-05-24 21:01

Bill48105 wrote:
dzekas wrote:
Bill48105 wrote:Ya know I've used ASSP for years & just recently found it can be 'man in the middle' for starttls to hmail
Starttls needs both client and server support. ASSP will cover only server part.
Umm you lost me there.. The email client is the client.
When hmailserver talks to other SMTP servers, it is acting as a client. If hmailserver connects to server with StartTLS support, it should try to enable encryption on that connection. ASSP allows to enable encryption only when someone else is connecting to hmailserver.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2012-05-24 22:05

dzekas wrote:When hmailserver talks to other SMTP servers, it is acting as a client. If hmailserver connects to server with StartTLS support, it should try to enable encryption on that connection. ASSP allows to enable encryption only when someone else is connecting to hmailserver.
Ahh yeah true gotcha. Think most people are looking for hmail to be the server side with starttls but something to keep in mind indeed.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2012-05-24 22:10

Bill48105 wrote:Think most people are looking for hmail to be the server side with starttls
Most of them are looking at it as a mean to encrypt their email data. Global PKI is harder to sell than snake oil.

Noobert
New user
New user
Posts: 3
Joined: 2012-05-23 15:04

Re: ssl/tls and starttls

Post by Noobert » 2012-05-25 15:42

dzekas wrote:When hmailserver talks to other SMTP servers, it is acting as a client. If hmailserver connects to server with StartTLS support, it should try to enable encryption on that connection. ASSP allows to enable encryption only when someone else is connecting to hmailserver.
Ah, a one-way-solution doesn't help. I need StartTLS for encryption between my mailgateway and the mailservers around the world. In any direction.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2012-05-25 17:04

Noobert wrote:Ah, a one-way-solution doesn't help. I need StartTLS for encryption between my mailgateway and the mailservers around the world. In any direction.
You are not protecting anything with starttls between two email servers. How do you know that you are talking to right email server and not to MITM proxy? How do you know that email server does not have rule to forward any email to unrelated third party? Can you be sure that all mail servers around the world support StartTLS?

If you want to protect email content, you should use SMIME or PGP MIME. If you insist on snake oil solutions that make you comfortable, find some other server with Starttls client and SMTP-over-SSL server support and relay all hmailserver email to SMTP over SSL service on that server.

User avatar
katip
Senior user
Senior user
Posts: 662
Joined: 2006-12-22 07:58
Location: Istanbul

Re: ssl/tls and starttls

Post by katip » 2012-05-25 19:25

Noobert wrote:
Ah, a one-way-solution doesn't help. I need StartTLS for encryption between my mailgateway and the mailservers around the world. In any direction.
hmm, i remember configurations discussed in ASSP forums/maillist that both incoming to and outgoing from MTA traffic are going thru ASSP.
GUI help tells :

Code: Select all

...If a client does not request TLS (STARTTLS) even it has got the (250-STARTTLS), ASSP tries to start a TLS session to server, if he has sent (250-STARTTLS)! This behavior belongs to incoming and outgoing messages.
something like this, i'm not sure though, never tried. HTH
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2012-05-25 19:30

katip wrote:something like this, i'm not sure though, never tried. HTH
Outgoing flow is Server -> ASSP -> Other server -> Internet. You don't need ASSP for that. If other server relays from ASSP, it will relay from primary server and you can use SMTP-over-SSL to secure such connection. With ASSP in picture you would be scanning own outgoing mails for spam.

User avatar
katip
Senior user
Senior user
Posts: 662
Joined: 2006-12-22 07:58
Location: Istanbul

Re: ssl/tls and starttls

Post by katip » 2012-05-25 19:42

dzekas wrote:
katip wrote:something like this, i'm not sure though, never tried. HTH
Outgoing flow is Server -> ASSP -> Other server -> Internet. You don't need ASSP for that. If other server relays from ASSP, it will relay from primary server and you can use SMTP-over-SSL to secure such connection. With ASSP in picture you would be scanning own outgoing mails for spam.
dzekas, you're the expert in this subject, we know this. Does this help Noobert or not? Your advice is appreciated. There are a number of ways to skip a number of own outgoing checks in ASSP.

//edit : consider "Server -> ASSP -> Internet" instead "Server -> ASSP -> Other server -> Internet"
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: ssl/tls and starttls

Post by dzekas » 2012-05-25 20:00

katip wrote:you're the expert in this subject
I am not an expert. I just want people to think about it before praising server side email encryption or using weasel words to cover baseless assertions about TLS requirements for email protection.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2012-05-25 20:21

dzekas wrote:With ASSP in picture you would be scanning own outgoing mails for spam.
Of course ASSP can be configured to NOT scan own outgoing emails to eliminate that concern. ;)
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2012-05-25 20:38

dzekas wrote:
katip wrote:you're the expert in this subject
I am not an expert. I just want people to think about it before praising server side email encryption or using weasel words to cover baseless assertions about TLS requirements for email protection.
Oh come on dzekas take the compliment. ;) We know you know your stuff on many things like imap/ssl/rfc's/webmail but no need to be all "soup nazi" about it. :P (You watch Seinfeld? "NO SOUP FOR YOU!" lol) Yes often people make poor assumptions on encryption but it can be turned around & said that you make poor assumptions on what people are assuming too. ;) Really easy to misunderstand & make bad assumptions on forum especially with differences in language though. We all have had it happen & sure not last time for any of us. ;)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Danny Chiou
New user
New user
Posts: 1
Joined: 2012-11-29 09:17

Re: ssl/tls and starttls

Post by Danny Chiou » 2012-11-29 09:49

SMTP relay by Microsoft Exchange must be use TLS

SMTP relay auth use SSL
"APPLICATION" 3936 "2012-11-29 15:28:09.667" "SMTPDeliverer - Message 12: Relaying to host 10.10.2.81."
"DEBUG" 3936 "2012-11-29 15:28:09.667" "SD::_InitiateExternalConnection"
"DEBUG" 3936 "2012-11-29 15:28:09.667" "Creating session 15"
"TCPIP" 3936 "2012-11-29 15:28:09.667" "Connecting to 10.10.2.81..."
"DEBUG" 364 "2012-11-29 15:28:09.667" "Ending session 14"
"TCPIP" 5512 "2012-11-29 15:28:09.683" "TCPConnection - SSL handshake with client failed. Error code: 336031996, Message: asio.ssl error, Remote IP: 10.10.2.81"
"DEBUG" 3936 "2012-11-29 15:28:09.683" "SD::~_InitiateExternalConnection-5"
"DEBUG" 3936 "2012-11-29 15:28:09.683" "Ending session 15"
"DEBUG" 3936 "2012-11-29 15:28:09.683" "SD::~_DeliverToExternalAccounts-2"
"DEBUG" 3936 "2012-11-29 15:28:09.683" "Collect delivery result"
"DEBUG" 3936 "2012-11-29 15:28:09.683" "Collect delivery result - Done"
"DEBUG" 3936 "2012-11-29 15:28:09.683" "SD::_RescheduleDelivery"
"DEBUG" 3936 "2012-11-29 15:28:09.683" "Retrieving retry options."

SMTP relay auth without SSL
"TCPIP" 3936 "2012-11-29 15:43:35.472" "Connecting to 10.10.2.81..."
"DEBUG" 4944 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4944 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 220 MAIL01.xxxxx.com Microsoft ESMTP MAIL Service ready at Thu, 29 Nov 2012 15:43:33 +0800"
"SMTPC" 4944 17 "2012-11-29 15:43:35.488" "10.10.2.81" "SENT: EHLO ITS00055P00"
"DEBUG" 4944 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 2"
"DEBUG" 6008 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 6008 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-MAIL01.xxxxx.com Hello [10.10.30.40]"
"DEBUG" 6008 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 4944 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4944 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-SIZE"
"DEBUG" 4944 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 5332 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 5332 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-PIPELINING"
"DEBUG" 5332 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 4944 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4944 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-DSN"
"DEBUG" 4944 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 5332 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 5332 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-ENHANCEDSTATUSCODES"
"DEBUG" 5332 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 6008 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 6008 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-STARTTLS"
"DEBUG" 6008 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 5332 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 5332 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-X-ANONYMOUSTLS"
"DEBUG" 5332 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 6008 "2012-11-29 15:43:35.488" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 6008 17 "2012-11-29 15:43:35.488" "10.10.2.81" "RECEIVED: 250-AUTH NTLM"
"DEBUG" 6008 "2012-11-29 15:43:35.488" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 5332 "2012-11-29 15:43:35.503" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 5332 17 "2012-11-29 15:43:35.503" "10.10.2.81" "RECEIVED: 250-X-EXPS GSSAPI NTLM"
"DEBUG" 5332 "2012-11-29 15:43:35.503" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 6008 "2012-11-29 15:43:35.503" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 6008 17 "2012-11-29 15:43:35.503" "10.10.2.81" "RECEIVED: 250-8BITMIME"
"DEBUG" 6008 "2012-11-29 15:43:35.503" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 4944 "2012-11-29 15:43:35.503" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4944 17 "2012-11-29 15:43:35.503" "10.10.2.81" "RECEIVED: 250-BINARYMIME"
"DEBUG" 4944 "2012-11-29 15:43:35.503" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 5332 "2012-11-29 15:43:35.503" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 5332 17 "2012-11-29 15:43:35.503" "10.10.2.81" "RECEIVED: 250-CHUNKING"
"DEBUG" 5332 "2012-11-29 15:43:35.503" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 6008 "2012-11-29 15:43:35.503" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 6008 17 "2012-11-29 15:43:35.503" "10.10.2.81" "RECEIVED: 250-XEXCH50"
"DEBUG" 6008 "2012-11-29 15:43:35.503" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 5332 "2012-11-29 15:43:35.503" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 5332 17 "2012-11-29 15:43:35.503" "10.10.2.81" "RECEIVED: 250-XRDST"
"DEBUG" 5332 "2012-11-29 15:43:35.503" "SMTPClientConnection::~_ParseASCII() - 1"
"DEBUG" 6008 "2012-11-29 15:43:35.503" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 6008 17 "2012-11-29 15:43:35.503" "10.10.2.81" "RECEIVED: 250 XSHADOW"
"SMTPC" 6008 17 "2012-11-29 15:43:35.503" "10.10.2.81" "SENT: AUTH LOGIN"
"DEBUG" 5332 "2012-11-29 15:43:40.519" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 5332 17 "2012-11-29 15:43:40.519" "10.10.2.81" "RECEIVED: 504 5.7.4 Unrecognized authentication type"
"SMTPC" 5332 17 "2012-11-29 15:43:40.519" "10.10.2.81" "SENT: QUIT"

User avatar
bagu
Normal user
Normal user
Posts: 187
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: ssl/tls and starttls

Post by bagu » 2013-03-28 13:49

Need this feature too.

89 pro
0 cons

Maybe it would be the next feature to add ? no ?
hMailServer 5.6.8 With SpamAssassin 3.4.1

User avatar
mattg
Moderator
Moderator
Posts: 19883
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ssl/tls and starttls

Post by mattg » 2013-03-28 14:43

we are hoping that the next release will be a 'stable' 5.4

For 5.5, I suspect that this will one of the things looked at.
It is top of the list
http://www.hmailserver.com/?page=feature_voting
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-03-28 15:02

mattg wrote:we are hoping that the next release will be a 'stable' 5.4

For 5.5, I suspect that this will one of the things looked at.
It is top of the list
http://www.hmailserver.com/?page=feature_voting
lol aint that the truth! would be nice to 5.4 out finally as a lot has been on hold for that.

The extended list DooM did is quite interesting. Shows STARTTLS is #1 by far:
http://www.hmailserver.com/?page=featur ... g_extended
Request Yes No Weight Date Added
ssl/tls and starttls 87 0 6.35 27th Jun 09
Domain /Email address blacklist [70%] 73 6 3.57 7th Feb 08
User mailbox editing 84 6 3.27 16th Sep 06
Different retry times for smtp delivery [90%] 59 0 3.22 20th Mar 08
BATV (Bounce Address Tag Validation) Check 30 0 2.67 26th Feb 10
On-Demand IMAP of External Accounts with IDLE/PUSH 43 6 2.58 24th Apr 09
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Zapy
New user
New user
Posts: 5
Joined: 2007-11-26 14:09

Re: ssl/tls and starttls

Post by Zapy » 2013-06-30 23:28

Hi guys!
3 months have passed since the last post, any news about tls and startls support for hmailserver?

Post Reply