In association with heise online


Internet providers in particular prefer to use SSL's successor, Transport Layer Security via StartTLS. It has the advantage that it can be offered as an additional option, whilst still allowing clients which don't support it to communicate with the server without encryption. The flip side of this is that email clients need to be able to cope if the server refuses a TLS connection.

The default option in many email clients, "TLS, if available", carries with it a major risk – a man-in-the-middle attacker could silently change the StartTLS command, which should activate encryption, into an XtartTLS. The server would then respond that it doesn't do XtartTLS, causing some email clients to send user data in unencrypted form unbeknown to the user. It is therefore advisable to check whether a server can handle StartTLS and then to make it obligatory. If an error message appears, it's then clear that something's wrong.

The port on which TLS services run is provider-dependant. In principle, this type of encryption can be transparently embedded within normal operations. To find out whether a mail server supports this:

$ nc smtp
220 Mailserver ESMTP Exim 4.69 Wed, 16 Sep 2009 13:05:15 +0200
ehlo test
250-Mailserver Hello loki []
250-SIZE 78643200
250 HELP
221 Mailserver closing connection

This list should include the command STARTTLS, which activates Transport Layer Security encryption:

220 TLS go ahead

Netcat runs into trouble at this point, but openssl again comes to the rescue. The developers have made the SSL client smart enough to ask for TLS encryption in SMTP, POP3, IMAP and FTP, although this doesn't work with all servers.

$ openssl s_client -host -port 25 -starttls smtp
250 HELP
ehlo test
250-Mailserver Hello loki []
250-SIZE 52428800
250 HELP

Next: SMTP Authentication

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit