« previous 1 2 3 4 next »

StartTLS

Internet providers in particular prefer to use SSL's successor, Transport Layer Security via StartTLS. It has the advantage that it can be offered as an additional option, whilst still allowing clients which don't support it to communicate with the server without encryption. The flip side of this is that email clients need to be able to cope if the server refuses a TLS connection.

The default option in many email clients, "TLS, if available", carries with it a major risk – a man-in-the-middle attacker could silently change the StartTLS command, which should activate encryption, into an XtartTLS. The server would then respond that it doesn't do XtartTLS, causing some email clients to send user data in unencrypted form unbeknown to the user. It is therefore advisable to check whether a server can handle StartTLS and then to make it obligatory. If an error message appears, it's then clear that something's wrong.

The port on which TLS services run is provider-dependant. In principle, this type of encryption can be transparently embedded within normal operations. To find out whether a mail server supports this:

$ nc smtp.irgendwo.de smtp
220 Mailserver ESMTP Exim 4.69 Wed, 16 Sep 2009 13:05:15 +0200
ehlo test
250-Mailserver Hello loki [10.1.2.73]
250-SIZE 78643200
250-PIPELINING
250-STARTTLS
250 HELP
quit
221 Mailserver closing connection

This list should include the command STARTTLS, which activates Transport Layer Security encryption:

STARTTLS
220 TLS go ahead

Netcat runs into trouble at this point, but openssl again comes to the rescue. The developers have made the SSL client smart enough to ask for TLS encryption in SMTP, POP3, IMAP and FTP, although this doesn't work with all servers.

$ openssl s_client -host mail.irgendwo.de -port 25 -starttls smtp
CONNECTED(00000003)
[...]
250 HELP
ehlo test
250-Mailserver Hello loki [10.1.2.73]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP

Next: SMTP Authentication

« previous 1 2 3 4 next »