|
|
|
|
|
|
| Author |
Message |
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
 Posted: Wed Jul 19, 2006 10:10 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
jtelep@localonline.net wrote:
| Quote: | I'm not sure that I even have the subject of this message accurate. I am
trying to make sure that I understand this encryption scheme correctly.
Please can someone correct me if I am wrong on the next statement:
If I configure my Exim4 server to use TLS then the order of the way things
should work after that is:
1. I request an SMTP connection to my server
2. It responds and initiates a TLS connection with the client.
3. I then authenticate using something like SASL and don't need to worry
about the username or password being "sniffed" or intercepted in any other
way.
Thanks,
Jon
|
'use TLS' can apply to more than one place in Exim.
There are commonly two places, and three variations where encryption comes into
play:
- esmtp, used to *offer* TLS encryption to distant hosts submitting incoming
traffic on your port 25, and to *request* TLS of distant host port 25 to which
your server wishes to send. You can force this, but not all remote hosts can or
will be able to comply, so best to do that only in a corporate private network,
else you will cut-off some traffic. IOW - a good idea to enable it, but not to
insist on it.
Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
tls_certificate = /usr/local/etc/exim/certs/<cert name or number>
tls_advertise_hosts = *
An optional setting is:
tls_remember_esmtp = yes
2) - esmtp(s/a) - used to encrypt BOTH UID:password AND message traffic
submitted from your MUA to your mail server. SSL/TLS 'forced' on the submission
port(s) for authentication and subsequent traffic. Once in place, further
'secure' password exchange mehtods are optional, as even 'plain' is now inside
an SSL/TLs 'tunnel'. With server settings you can force *all* of your user MUA's
to use SSL/TLS when authenticating - generally a very good idea, as all modern
MUA support it - even MS broken ones.
A typical setting is:
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
An optional setting is:
tls_on_connect_ports = 465
(be aware port 465 is in most MUA for legacy always-on 'SSL' but has been
officially reassigned for other use WEF February 2006)
3) - use to (attempt to) protect the UID:password exchange, but not the message
traffic. SASL, by itself, does not apply encryption of any kind to the headers
or body of the message, only the login.
Further research of the docs can expand your familiarity with Exim's setup for
each of these.
HTH,
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
 |
Heiko Schlittermann
*nix forums Guru Wannabe
Joined: 16 Feb 2005
Posts: 102
|
| Posted: Thu Jul 20, 2006 6:42 am Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Hello,
W B Hacker <wbh@conducive.org> (Do 20 Jul 2006 00:10:34 CEST):
....
just to be more specific (accurate?)
| Quote: | Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
|
Typical clients use START_TLS on port 25, but tls-on-connect on 465
(what about 587?). So with the above setting I'd strongly recommend
tls_on_connect_ports = 465
Please correct me if I'm wrong.
Best regards from Dresden
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B - |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Thu Jul 20, 2006 9:04 am Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Heiko Schlittermann wrote:
| Quote: | Hello,
W B Hacker <wbh@conducive.org> (Do 20 Jul 2006 00:10:34 CEST):
....
just to be more specific (accurate?)
Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
Typical clients use START_TLS on port 25, but tls-on-connect on 465
(what about 587?). So with the above setting I'd strongly recommend
tls_on_connect_ports = 465
Please correct me if I'm wrong.
|
Only for the past 5+ months.
;-)
| Quote: | Best regards from Dresden
Viele Grüße aus Dresden
Heiko Schlittermann
|
AFAIK port 465 remains available in nearly all common MUA's, and is the default
if legacy 'SSL' is selected for smtp submission, rahter than 'TLS'.
However, port 465 was reassigned to a Cisco-sponsored service WEF February 2006
- one that has nothing to do with smtp:
urd 465/tcp URL Rendesvous Directory for SSM (Cisco)
igmpv3lite 465/udp IGMP over UDP for SSM
Which leaves 587 is the only 'official' submission port now:
submission 587/tcp Submission
submission 587/udp Submission
# [RFC4409]
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Marc Sherman
*nix forums Guru
Joined: 28 Jan 2005
Posts: 553
|
| Posted: Thu Jul 20, 2006 12:44 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Heiko Schlittermann wrote:
| Quote: | Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
Typical clients use START_TLS on port 25, but tls-on-connect on 465
(what about 587?). So with the above setting I'd strongly recommend
tls_on_connect_ports = 465
|
Please ignore everything Bill says about port 465. He continues to
advise people to ignore established norms and standards, without warning.
- Marc
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
xyon
*nix forums beginner
Joined: 08 Dec 2005
Posts: 17
|
| Posted: Thu Jul 20, 2006 1:19 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
I apologize, why is 'tls_on_connect_ports 465' not correct? I've had to
enable that for Outlook (Express) clients since they do not use STARTTLS
on 25. Or at least they didn't when I set things up.
Please forgive me if I've missed something here.
On Thu, July 20, 2006 08:44, Marc Sherman wrote:
| Quote: | Heiko Schlittermann wrote:
Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
Typical clients use START_TLS on port 25, but tls-on-connect on 465
(what about 587?). So with the above setting I'd strongly recommend
tls_on_connect_ports = 465
Please ignore everything Bill says about port 465. He continues to
advise people to ignore established norms and standards, without warning.
- Marc
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
|
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
xyon
*nix forums beginner
Joined: 08 Dec 2005
Posts: 17
|
| Posted: Thu Jul 20, 2006 1:27 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Whoops, terribly sorry. I just saw this post further down. I don't tend to
use 587, but stick to 465. I think that's what most people do.
--
On Thu, July 20, 2006 09:19, xyon wrote:
| Quote: | I apologize, why is 'tls_on_connect_ports 465' not correct? I've had to
enable that for Outlook (Express) clients since they do not use STARTTLS
on 25. Or at least they didn't when I set things up.
Please forgive me if I've missed something here.
On Thu, July 20, 2006 08:44, Marc Sherman wrote:
Heiko Schlittermann wrote:
Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
Typical clients use START_TLS on port 25, but tls-on-connect on 465
(what about 587?). So with the above setting I'd strongly recommend
tls_on_connect_ports = 465
Please ignore everything Bill says about port 465. He continues to
advise people to ignore established norms and standards, without
warning.
- Marc
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
|
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Steffen Heil
*nix forums beginner
Joined: 07 Feb 2005
Posts: 46
|
| Posted: Thu Jul 20, 2006 2:01 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Hi
| Quote: | Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
Typical clients use START_TLS on port 25, but tls-on-connect on 465
(what about 587?). So with the above setting I'd strongly recommend
tls_on_connect_ports = 465
Please ignore everything Bill says about port 465. He
continues to advise people to ignore established norms and
standards, without warning.
|
I hope I missunderstand, but otherwise that comment is garbage.
In spite of the fact that it may be agains standards now I also suggest:
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
25 is for inter-MTA smtp traffic. (explicit tls optionally, usually no auth)
587 is for "good" MUA to MTA traffic. (explicit tls prefered, only auth)
465 is for "bad" MUA to MTA traffic. (implicit ssl forced, only auth)
There are still clients wich don't do STARTTLS but only implicitSSL.
Some versions of Outlook for example.
If you configure this server only for yourself, drop port 465 completely.
However, if you need to support clients with somehow broken smtp/ssl
implementations, you have no chance to do otherwise.
I cannot afford to drop that many customers, maybe you can...
Regards,
Steffen |
|
| Back to top |
|
|
Marc Sherman
*nix forums Guru
Joined: 28 Jan 2005
Posts: 553
|
| Posted: Thu Jul 20, 2006 2:04 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Steffen Heil wrote:
| Quote: |
I hope I missunderstand, but otherwise that comment is garbage.
In spite of the fact that it may be agains standards now I also suggest:
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
25 is for inter-MTA smtp traffic. (explicit tls optionally, usually no auth)
587 is for "good" MUA to MTA traffic. (explicit tls prefered, only auth)
465 is for "bad" MUA to MTA traffic. (implicit ssl forced, only auth)
There are still clients wich don't do STARTTLS but only implicitSSL.
Some versions of Outlook for example.
|
Sorry, trimmed my quotes too aggressively, and as a result wasn't clear.
Yes, what you and Heiko do is correct. What Bill does (the person Heiko
was responding to), and what he blindly advises everyone else to do
without warning them of the consequences, is wildly out of synch with
the rest of the world.
- Marc
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Thu Jul 20, 2006 7:39 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
xyon wrote:
| Quote: | Whoops, terribly sorry. I just saw this post further down. I don't tend to
use 587, but stick to 465. I think that's what most people do.
|
Feel free to ignore Bill Hacker, but the IANA and IETF are more pervasive:
http://www.iana.org/
http://www.iana.org/assignments/port-numbers
Port 587 - currently the officially recommended port for user-client submission,
is covered here - not that port 25 is still OK too - though many ISP's will
block or divert it:
http://www.ietf.org
http://www.ietf.org/rfc/rfc4409.txt
- Section 7 has a table of smtp extensions, listing STARTTLS as a 'MAY'.
- Security issues are covered in Section 9, with back-references to Section 3.
- Section 3 mentions other security methods, including IPSEC and SSL tunneling.
The above will take maybe ten minutes to find and read.
Other RFCs referenced take longer.
The very long history behind it all, if you care, needs the better part of a day
to track down and read.
Exim is fully capable of compliance with all applicable standards - old or new.
BTW, if you don't *like* what IANA and IETF have to say, standard practice is to
attack the messenger.
No sweat, I have broad shoulders.
;-)
"With all thy getting, get thee understanding"
B. C. Forbes
Regards,
Bill Hacker
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Thu Jul 20, 2006 7:59 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Steffen Heil wrote:
| Quote: | Hi
Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
Typical clients use START_TLS on port 25, but tls-on-connect on 465
(what about 587?). So with the above setting I'd strongly recommend
tls_on_connect_ports = 465
Please ignore everything Bill says about port 465. He
continues to advise people to ignore established norms and
standards, without warning.
I hope I missunderstand, but otherwise that comment is garbage.
In spite of the fact that it may be agains standards now I also suggest:
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
25 is for inter-MTA smtp traffic. (explicit tls optionally, usually no auth)
587 is for "good" MUA to MTA traffic. (explicit tls prefered, only auth)
465 is for "bad" MUA to MTA traffic. (implicit ssl forced, only auth)
There are still clients wich don't do STARTTLS but only implicitSSL.
Some versions of Outlook for example.
If you configure this server only for yourself, drop port 465 completely.
However, if you need to support clients with somehow broken smtp/ssl
implementations, you have no chance to do otherwise.
I cannot afford to drop that many customers, maybe you can...
Regards,
Steffen
|
Can't argue with that - we still keep 465 open for the same reason, simply no
longer configure current MUA to to use it.
But, as you do in calling it "bad MUA to MTA" (I'd be kinder and say 'legacy'
and "MSA") I no longer recommend 'new' use of 465.
Not since the IANA/IETF have officially set a different use for that port (FEB
2006) anyway.
PRIOR to that date - *many* folks fought long and hard to keep smpts on 465.
Whether Herr Sherman likes it or not, that battle is over. IANA have spoken.
Digging out older posts - mine included - is no longer relevant.
Further, the new use IANA have assigned for 465 has caused obviously non-smtp
calls to port 465, which one can expect will increase over time if/as/when the
new 'rendevous' protocol gains acceptance.
Eventually, that may cause enough confusion/needless IP connection load to make
it a good idea to shut that port if NOT offering the new service.
If anyone has ignored 'established practice' - tens of millions of MUA's that
are equipped for smtps / SSL on port 465 - it is the IANA/IETF - not I.
Ancient history now. Like it or not, we should move on and use 587.
Thanks,
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Marc Sherman
*nix forums Guru
Joined: 28 Jan 2005
Posts: 553
|
| Posted: Thu Jul 20, 2006 8:04 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
W B Hacker wrote:
| Quote: |
Ancient history now. Like it or not, we should move on and use 587.
|
That's all well and good, Bill, and if you simply advised people not to
open port 465 at all, I wouldn't reply. It's your repeated advise to
people to open 465 for unencrypted/STARTTLS usage, against all
established historical practice, to which I object.
- Marc
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Marc Sherman
*nix forums Guru
Joined: 28 Jan 2005
Posts: 553
|
| Posted: Thu Jul 20, 2006 8:15 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Marc Sherman wrote:
| Quote: | W B Hacker wrote:
Ancient history now. Like it or not, we should move on and use 587.
That's all well and good, Bill, and if you simply advised people not to
open port 465 at all, I wouldn't reply. It's your repeated advise to
people to open 465 for unencrypted/STARTTLS usage, against all
established historical practice, to which I object.
|
Whoops, I guess I owe Bill a bit of an apology -- I was mis-remembering
history here. It's actually your repeated use of tls_on_connect on port
587 that so aggravates me. You're welcome to do whatever you want on
your own server, but please do not advise others to configure
tls_on_connect on port 587 on this list without clearly noting that you
are doing something non-standard and against common practice.
Anyway, sorry about the mixup.
- Marc
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Thu Jul 20, 2006 8:42 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Marc Sherman wrote:
| Quote: | W B Hacker wrote:
Ancient history now. Like it or not, we should move on and use 587.
That's all well and good, Bill, and if you simply advised people not to
open port 465 at all, I wouldn't reply. It's your repeated advise to
people to open 465 for unencrypted/STARTTLS usage, against all
established historical practice, to which I object.
- Marc
|
You have a reading disability then.
I have neither recommended that, illustrated that, nor done it on production
servers OR MUA settings. We have never used 465 for anything BUT SSL/tls_on-connect.
I *have* "illustrated", but NOT RECOMMENDED use of port 587 with tls_on_connect.
That is not common per established practice, but is tactily supported and *not
prohibited* under the applicable IANA/IETF guidelines for the port.
See RFC 4409:
3.1. Submission Identification
Port 587 is reserved for email message submission as specified in
this document. Messages received on this port are defined to be
submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], *with
additional restrictions or allowances as specified here*.
..
..
..
3.3. Authorized Submission
"Numerous methods have been used to ensure that only authorized users
are able to submit messages. These methods include authenticated
SMTP, IP address restrictions, *secure IP and other tunnels*,..."
That said, I still do not RECOMMEND *anything* - save familiarizing oneself with
the current IANA or IETF position.
The rest is up to the mailadmin, as IANA/IETF wisely recognize that user-MUA
client to server-MSA host submission is a *local* issue.
RTFRFC
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Thu Jul 20, 2006 8:54 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
Marc Sherman wrote:
| Quote: | Marc Sherman wrote:
W B Hacker wrote:
Ancient history now. Like it or not, we should move on and use 587.
That's all well and good, Bill, and if you simply advised people not to
open port 465 at all, I wouldn't reply. It's your repeated advise to
people to open 465 for unencrypted/STARTTLS usage, against all
established historical practice, to which I object.
Whoops, I guess I owe Bill a bit of an apology --
|
Accepted, thanks.
| Quote: | I was mis-remembering
history here. It's actually your repeated use of tls_on_connect on port
587 that so aggravates me.
|
'Repeated use' is not and was not a 'RECOMMENDATION'.
An illustration, observation, or comment on special-case utility is not a
'recommendation' either.
| Quote: | You're welcome to do whatever you want on
your own server, but please do not advise others to configure
tls_on_connect on port 587 on this list without clearly noting that you
are doing something non-standard and against common practice.
|
I haven't done so, and do not plan to start. It might irritate the pedantic.
| Quote: | Anyway, sorry about the mixup.
- Marc
|
Let's just stick with current IANA/IETF recommendations and leave history where
it belongs.
Best,
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Marc Haber
*nix forums Guru
Joined: 20 Feb 2005
Posts: 646
|
| Posted: Thu Jul 20, 2006 10:17 pm Post subject:
Re: Using TLS to encrypt SMTP traffic...
|
|
|
On Fri, 21 Jul 2006 04:42:36 +0800, W B Hacker <wbh@conducive.org>
wrote:
| Quote: | I *have* "illustrated", but NOT RECOMMENDED use of port 587 with tls_on_connect.
|
Well, kindly stop doing this, you're confusing the newbies who will
come back for more support.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Thu Dec 04, 2008 2:05 am | All times are GMT
|
|
Mortgages | Online Advertising | Books | Debt Help | Premade MySpace Layouts
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Exim
