2

I'm using an email client for the first time - for the most part I've always used gmail via the web interface. Now I'm setting up thunderbird to connect to an email server of my own (on my own server, own domain name, etc).

The server machine (and the email server on it) was preconfigured for me. Now i figured out away by which I'm able to send and receive email, but I noticed that in the outgoing and incoming servers section, the connection type was STARTTLS (and not SSL/TLS), and the Authentication Type was "Normal Password".

Does this mean that the password will be sent across in plain text? I'm very paranoid about security - its the only way that it works for me.

Can someone please post links that explain how SMTP (my outbound server) and IMAP (my inbound server) servers work, and what connection type means what?

Thanks!

PS: If this question does not belong here, please redirect me.

harshath.jr
  • 149
  • 2
  • 6
  • This question is more appropriate for superuser.com, or maybe security.stackexchange.com, depending on exactly how much detail you want. – womble Jul 20 '11 at 07:13
  • 3
    I think that the IT Security has it covered: http://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https although it's for HTTP basic auth, the principle of operation is exactly the same – Hubert Kario Jul 20 '11 at 08:30
  • Thanks. I found another question that was similar: http://superuser.com/questions/172580/thunderbird-starttls-password-method Thanks! – harshath.jr Jul 20 '11 at 10:36

2 Answers2

2

TLS is very safe and in some ways more "flexible" then SSL since the standard application ports can be used in duel-mode (with and/or without TLS) in a lot of configurations.

The first thing that takes place after the initial application port connect is the TLS negotiation where both sides figure out if they are both TLS capable, if so TLS negotiation takes place and everything else from there on is encrypted base on the negotiated encryption capabilities/configurations.

Here's a quick overview - http://www.tech-faq.com/tls-transport-layer-security.html.

user48838
  • 7,393
  • 2
  • 17
  • 14
0

STARTTLS is very secure but the implementations only check that validity of a certificate but do not check that certificate has any ascociation with that domain.

For instance, if you can fake the IP (man in the middle) most MTAs will just log that they connected to a validly signed certificate. You can create a certificate for any domain and use to perform an MITM interception of email. The MITM can then reforward emails.