Loading ...
Sorry, an error occurred while loading the content.

Re: tls vs ssl

Expand Messages
  • Timo Sirainen
    ... http://wiki.dovecot.org/SSL tries to explain their difference. ... You no longer have smtps port enabled?
    Message 1 of 13 , Mar 2 12:25 AM
    • 0 Attachment
      On 2.3.2010, at 9.18, Daniel L. Miller wrote:

      > OK - I'm an idiot. I'll just admit that up front and get it out of the way.
      >
      > Now that that's settled, what is the difference between "SSL" and "TLS"
      > in a MUA - particularly Thunderbird - in a Postfix context?

      http://wiki.dovecot.org/SSL tries to explain their difference.

      > I would have sworn I used to use Thunderbird with "SSL" specified and
      > connected to my Postfix servers fine. Now, I can only connect in "TLS"
      > mode. What did I break?

      You no longer have smtps port enabled?
    • Jonathan Tripathy
      Here is my 2 pence (Please someone correct me if I m wrong). STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of
      Message 2 of 13 , Mar 2 12:41 AM
      • 0 Attachment
        RE: tls vs ssl

        Here is my 2 pence (Please someone correct me if I'm wrong).

        STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of SSL). Different being is that with STARTTLS, the SMTP client (e.g. Thunderbird) will connect to the server unencrypted, then if the smtp server (postfix) announces "STARTTLS", Thunderbird will neogiate a key exchange then continue the rest of the connection encrypted.

        With "normal" TLS, the encrypted connection happens from the start, and both server and client will need keys on each end set up beforehand

        That's my take on it...


        -----Original Message-----
        From: owner-postfix-users@... on behalf of Stan Hoeppner
        Sent: Tue 3/2/2010 07:51
        To: postfix-users@...
        Subject: Re: tls vs ssl

        Daniel L. Miller put forth on 3/2/2010 1:18 AM:

        > OK - I'm an idiot.  I'll just admit that up front and get it out of the
        > way.
        >
        > Now that that's settled, what is the difference between "SSL" and "TLS"
        > in a MUA - particularly Thunderbird - in a Postfix context?
        >
        > I would have sworn I used to use Thunderbird with "SSL" specified and
        > connected to my Postfix servers fine.  Now, I can only connect in "TLS"
        > mode.  What did I break?

        It's unlikely you'd forget setting up SSL.  You would have likely created a
        self signed server certificate and would have installed it on all clients
        connecting to the server, just as must be done with web browsers connecting
        to a secure site for the first time.

        You've likely been using STARTTLS only, which doesn't require a key exchange
        as SSL/TLS does.  STARTTLS != TLS.

        --
        Stan

      • Charles Marcus
        ... ? You sure about that? I use only STARTTLS, and I always have to do the Confirm Security Exception dance to accept the certificate the first time I send
        Message 3 of 13 , Mar 2 9:18 AM
        • 0 Attachment
          On 2010-03-02 2:51 AM, Stan Hoeppner wrote:
          > You've likely been using STARTTLS only, which doesn't require a key exchange
          > as SSL/TLS does.

          ? You sure about that? I use only STARTTLS, and I always have to do the
          'Confirm Security Exception' dance to accept the certificate the first
          time I send a message in Thunderbird...

          --

          Best regards,

          Charles
        • Wietse Venema
          ... Port 24 and 587: TCP handshake, SMTP handshake, client sends STARTTLS, TLS handshake, SMTP handshake, MAIL transaction, ... Port 465: TCP handshake, TLS
          Message 4 of 13 , Mar 2 9:52 AM
          • 0 Attachment
            Charles Marcus:
            > On 2010-03-02 2:51 AM, Stan Hoeppner wrote:
            > > You've likely been using STARTTLS only, which doesn't require a key exchange
            > > as SSL/TLS does.
            >
            > ? You sure about that? I use only STARTTLS, and I always have to do the
            > 'Confirm Security Exception' dance to accept the certificate the first
            > time I send a message in Thunderbird...

            Port 24 and 587:

            TCP handshake,
            SMTP handshake, client sends STARTTLS,
            TLS handshake, SMTP handshake, MAIL transaction, ...

            Port 465:

            TCP handshake,
            TLS handshake, SMTP handshake, MAIL transaction, ...

            Details are in RFC 3207.

            Wietse
          • Daniel L. Miller
            ... excerpted from master.cf - using non-standard port numbers for internal use and testing: 192.168.0.110:125 inet n - - - -
            Message 5 of 13 , Mar 2 11:33 AM
            • 0 Attachment
              Timo Sirainen wrote:
              >> I would have sworn I used to use Thunderbird with "SSL" specified and
              >> connected to my Postfix servers fine. Now, I can only connect in "TLS"
              >> mode. What did I break?
              >>
              >
              > You no longer have smtps port enabled?
              >
              excerpted from master.cf - using non-standard port numbers for internal
              use and testing:

              192.168.0.110:125 inet n - - - - smtpd
              -o syslog_name=frominternet
              -o smtpd_proxy_filter=
              -o myhostname=Postfix-ASSP.amfeslan.local

              connect with Thunderbird to this address & port set to no encryption - works

              192.168.0.110:126 inet n - - - - smtpd
              -o smtpd_tls_security_level=may
              -o smtpd_sasl_auth_enable=yes
              -o smtpd_client_restrictions=permit_sasl_authenticated,reject

              connect with Thunderbird to this address & port set to TLS - works. SSL
              does not.

              192.168.0.110:127 inet n - - - - smtpd
              -o smtpd_tls_security_level=encrypt
              -o smtpd_sasl_auth_enable=yes
              -o smtpd_client_restrictions=permit_sasl_authenticated,reject

              connect with Thunderbird to this address & port set to TLS - works. SSL
              does not.

              By "SSL does not work" I mean:
              1. I see a connection in the Postfix log - but nothing further happens.
              2. Thunderbird works and works at sending ... and then times out with
              an error - "Sending of message failed".

              --
              Daniel
            • Victor Duchovni
              ... Why do you expect SMTP after SSL to work on a port that supports SSL after SMTP? http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode -- Viktor.
              Message 6 of 13 , Mar 2 11:41 AM
              • 0 Attachment
                On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:

                > 192.168.0.110:126 inet n - - - - smtpd
                > -o smtpd_tls_security_level=may
                > -o smtpd_sasl_auth_enable=yes
                > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                >
                > connect with Thunderbird to this address & port set to TLS - works. SSL
                > does not.

                Why do you expect SMTP after SSL to work on a port that supports SSL
                after SMTP?

                http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode

                --
                Viktor.

                P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                system/email administrator to architect and sustain our perimeter email
                environment. If you are interested, please drop me a note.
              • Daniel L. Miller
                ... Ok - inferring from that, I tried: 192.168.0.110:128 inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o
                Message 7 of 13 , Mar 2 12:30 PM
                • 0 Attachment
                  Victor Duchovni wrote:
                  > On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
                  >
                  >
                  >> 192.168.0.110:126 inet n - - - - smtpd
                  >> -o smtpd_tls_security_level=may
                  >> -o smtpd_sasl_auth_enable=yes
                  >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                  >>
                  >> connect with Thunderbird to this address & port set to TLS - works. SSL
                  >> does not.
                  >>
                  >
                  > Why do you expect SMTP after SSL to work on a port that supports SSL
                  > after SMTP?
                  >
                  > http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
                  >
                  Ok - inferring from that, I tried:
                  192.168.0.110:128 inet n - - - - smtpd
                  -o smtpd_tls_wrappermode=yes
                  -o smtpd_sasl_auth_enable=yes
                  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                  Now connecting from Thunderbird SSL works - TLS does not. Just
                  confirming - is this expected and proper behaviour?

                  --
                  Daniel
                • Victor Duchovni
                  ... Yes, of course. SSL after SMTP won t work with a service that runs SMTP after SSL. The SMTP inside SSL service and SSL inside SMTP services are not
                  Message 8 of 13 , Mar 2 12:42 PM
                  • 0 Attachment
                    On Tue, Mar 02, 2010 at 12:30:21PM -0800, Daniel L. Miller wrote:

                    > Ok - inferring from that, I tried:
                    > 192.168.0.110:128 inet n - - - - smtpd
                    > -o smtpd_tls_wrappermode=yes
                    > -o smtpd_sasl_auth_enable=yes
                    > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                    >
                    > Now connecting from Thunderbird SSL works - TLS does not. Just confirming
                    > - is this expected and proper behaviour?

                    Yes, of course. SSL after SMTP won't work with a service that runs SMTP
                    after SSL. The "SMTP inside SSL" service and "SSL inside SMTP" services
                    are not inter-operable and cannot be deployed on the same port.

                    The "SMTP over SSL" service (wrappermode=yes) is a legacy non-standard
                    service and should be phased out once all clients support "SSL over SMTP"
                    (aka STARTTLS).

                    --
                    Viktor.

                    P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                    system/email administrator to architect and sustain our perimeter email
                    environment. If you are interested, please drop me a note.
                  • Noel Jones
                    ... Yes, that s expected. SSL wrappermode is incompatible with standard SMTP or STARTTLS. Typically wrappermode is specified only on port 465, which is
                    Message 9 of 13 , Mar 2 1:12 PM
                    • 0 Attachment
                      On 3/2/2010 2:30 PM, Daniel L. Miller wrote:
                      > Victor Duchovni wrote:
                      >> On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
                      >>
                      >>> 192.168.0.110:126 inet n - - - - smtpd
                      >>> -o smtpd_tls_security_level=may
                      >>> -o smtpd_sasl_auth_enable=yes
                      >>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                      >>>
                      >>> connect with Thunderbird to this address & port set to TLS - works.
                      >>> SSL does not.
                      >>
                      >> Why do you expect SMTP after SSL to work on a port that supports SSL
                      >> after SMTP?
                      >>
                      >> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
                      > Ok - inferring from that, I tried:
                      > 192.168.0.110:128 inet n - - - - smtpd
                      > -o smtpd_tls_wrappermode=yes
                      > -o smtpd_sasl_auth_enable=yes
                      > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                      >
                      > Now connecting from Thunderbird SSL works - TLS does not. Just
                      > confirming - is this expected and proper behaviour?
                      >

                      Yes, that's expected. SSL wrappermode is incompatible with
                      standard SMTP or STARTTLS.

                      Typically wrappermode is specified only on port 465, which is
                      commonly referred to as the smtps port.

                      -- Noel Jones
                    Your message has been successfully submitted and would be delivered to recipients shortly.