3

Rather than purchasing SSL I would create a SSL certificate. Of course my SSL certificate will not be useful that browsers show "Un-trusted SSL". Can I use Self Signed SSL to my mail server to send and receive emails? By using self signed SSL do it interrupt users work saying "you are using un-trusted SSL certificate"?

Will it be useful?

And I believe that adding SSL to mail server for email exchange will change my port numbers from 25, 110, 143 to 465, 995, 993 Am I right?

Karthik Malla
  • 103
  • 4
  • There are free CAs out there; you don't have to pay for a basic cert, not for a while now... Also, SSL is a protocol for implicit security (endpoint authenticity, data authenticity, encryption, and/or authorization). It uses X.509 public-key certificates, but they were invented years before SSL. – Chris S Sep 25 '11 at 23:14
  • Chris - Who provides me free SSL? Mine is a profit oriented business. – Karthik Malla Sep 26 '11 at 04:42
  • I don't mean to be condescending, but Googling "free ca" returns the most popular widely accepted Free CA as the #2 result. – Chris S Sep 26 '11 at 05:19

2 Answers2

2

I hate to differ, mailq, but SSL between MTAs (that is, between your mail server and other mail servers) is perfectly well-supported and well-understood. It runs happily on port 25. When you connect to a mail server offering this, it's advertised in the EHLO phase:

[madhatta@anni ~]$ telnet www.teaparty.net 25
Trying 193.219.118.100...
Connected to www.teaparty.net.
Escape character is '^]'.
220 : ESMTP you accept terms at http://www.teaparty.net/smtp.html
EHLO me
250-www.teaparty.net Hello 88-111-161-32.dynamic.dsl.as9105.com [88.111.161.32], pleased to meet you
[...]
250-STARTTLS
[...]

A fellow mail server who's willing to talk TLS can then request escalation to encrypted communication, and the rest of the SMTP conversation can then happen under cover of crypto. The signed or unsigned state of a peer's certificate shows up in my sendmail logs thus:

Sep 25 22:42:05 www sendmail[24905]: STARTTLS=server, relay=nagios.teaparty.net [82.26.102.225], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256

In this case, I'm connecting to the foreign server (or it would say STARTTLS=client) and I can't, using my certificate bundle, verify the peer's certificate (or it would say verify=YES). But it's perfectly sound crypto, and worth doing.

Other than that I agree with your (otherwise excellent) answer.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Sorry, and I disagree with your answer. Or there is a misunderstanding. You can have crypto between client and server as described in [RFC 2487](http://tools.ietf.org/html/rfc2487) (and your answer). But as section 7 correctly states, the crypto vanishes between this server and the next server in the transport chain. – mailq Sep 25 '11 at 22:01
  • Sorry, mailq, RFC2487s7 says nothing of the sort, at least to me. It correctly notes that SMTP TLS isn't the same as end-to-end encryption - that is, each hop from one mailserver to the next is only secured against men-in-the-middle-of-that-hop, not against all attackers save sender and recipient. But it says nothing to me that suggests that SMTP TLS can't be used between each hop in the SMTP relay chain. Can you quote the passage on which you depend? – MadHatter Sep 25 '11 at 22:15
  • It's the first paragraph. I'm not sure if I read it correctly (no native speaker). I'm going to drop an email in the next days to have an IRC chat on that topic... – mailq Sep 25 '11 at 22:38
  • 1
    RFC2487 states that encryption is not guaranteed from one MTA to the next, and can not be guaranteed by the MSA. You can configure the originating MTA to require encryption, but that's another story. Encryption is certainly allowed, although SMTPS is not supported (by any MTA I've seen), only SMTP+TLS. Your both talking to different points; end-to-end encryption and single-hop encryption are different and should be understood by whoever is implementing the server so it can be communicated to the clients. – Chris S Sep 25 '11 at 23:04
1

SSL is only useful for connections between clients (Outlook, Thunderbird, ...) and the server. And yes it will change the ports for IMAP, POP3 and SMTP to their equivalent ports.

Using SSL between your SMTP server and other SMTP servers is not supported and specified (except to another relay host). They will still use port 25 for mail exchange (unencrypted).

Self-signed certificates will always "disturb" clients as they are not trusted. You can make them trusted by inserting the public CA key into the client software.

So if it is useful depends on what you are trying to accomplish.

mailq
  • 16,882
  • 2
  • 36
  • 66
  • Correct. Outlook definitely interrupts users to warn them about certificates. – Mark Henderson Sep 25 '11 at 21:50
  • 1
    Using encryption, specicically TLS, between MTAs is supported by many MTAs (even newer versions of Exchange). It is not SMTPS (SMTP+SSL), but is implemented in the form of SMTP+TLS. – Chris S Sep 25 '11 at 23:06