Loading ...
Sorry, an error occurred while loading the content.

RE: tls vs ssl

Expand Messages
  • Jonathan Tripathy
    Here is my 2 pence (Please someone correct me if I m wrong). STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of
    Message 1 of 13 , Mar 2 12:41 AM
    • 0 Attachment
      RE: tls vs ssl

      Here is my 2 pence (Please someone correct me if I'm wrong).

      STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of SSL). Different being is that with STARTTLS, the SMTP client (e.g. Thunderbird) will connect to the server unencrypted, then if the smtp server (postfix) announces "STARTTLS", Thunderbird will neogiate a key exchange then continue the rest of the connection encrypted.

      With "normal" TLS, the encrypted connection happens from the start, and both server and client will need keys on each end set up beforehand

      That's my take on it...


      -----Original Message-----
      From: owner-postfix-users@... on behalf of Stan Hoeppner
      Sent: Tue 3/2/2010 07:51
      To: postfix-users@...
      Subject: Re: tls vs ssl

      Daniel L. Miller put forth on 3/2/2010 1:18 AM:

      > OK - I'm an idiot.  I'll just admit that up front and get it out of the
      > way.
      >
      > Now that that's settled, what is the difference between "SSL" and "TLS"
      > in a MUA - particularly Thunderbird - in a Postfix context?
      >
      > I would have sworn I used to use Thunderbird with "SSL" specified and
      > connected to my Postfix servers fine.  Now, I can only connect in "TLS"
      > mode.  What did I break?

      It's unlikely you'd forget setting up SSL.  You would have likely created a
      self signed server certificate and would have installed it on all clients
      connecting to the server, just as must be done with web browsers connecting
      to a secure site for the first time.

      You've likely been using STARTTLS only, which doesn't require a key exchange
      as SSL/TLS does.  STARTTLS != TLS.

      --
      Stan

    • Charles Marcus
      ... ? You sure about that? I use only STARTTLS, and I always have to do the Confirm Security Exception dance to accept the certificate the first time I send
      Message 2 of 13 , Mar 2 9:18 AM
      • 0 Attachment
        On 2010-03-02 2:51 AM, Stan Hoeppner wrote:
        > You've likely been using STARTTLS only, which doesn't require a key exchange
        > as SSL/TLS does.

        ? You sure about that? I use only STARTTLS, and I always have to do the
        'Confirm Security Exception' dance to accept the certificate the first
        time I send a message in Thunderbird...

        --

        Best regards,

        Charles
      • Wietse Venema
        ... Port 24 and 587: TCP handshake, SMTP handshake, client sends STARTTLS, TLS handshake, SMTP handshake, MAIL transaction, ... Port 465: TCP handshake, TLS
        Message 3 of 13 , Mar 2 9:52 AM
        • 0 Attachment
          Charles Marcus:
          > On 2010-03-02 2:51 AM, Stan Hoeppner wrote:
          > > You've likely been using STARTTLS only, which doesn't require a key exchange
          > > as SSL/TLS does.
          >
          > ? You sure about that? I use only STARTTLS, and I always have to do the
          > 'Confirm Security Exception' dance to accept the certificate the first
          > time I send a message in Thunderbird...

          Port 24 and 587:

          TCP handshake,
          SMTP handshake, client sends STARTTLS,
          TLS handshake, SMTP handshake, MAIL transaction, ...

          Port 465:

          TCP handshake,
          TLS handshake, SMTP handshake, MAIL transaction, ...

          Details are in RFC 3207.

          Wietse
        • Daniel L. Miller
          ... excerpted from master.cf - using non-standard port numbers for internal use and testing: 192.168.0.110:125 inet n - - - -
          Message 4 of 13 , Mar 2 11:33 AM
          • 0 Attachment
            Timo Sirainen wrote:
            >> I would have sworn I used to use Thunderbird with "SSL" specified and
            >> connected to my Postfix servers fine. Now, I can only connect in "TLS"
            >> mode. What did I break?
            >>
            >
            > You no longer have smtps port enabled?
            >
            excerpted from master.cf - using non-standard port numbers for internal
            use and testing:

            192.168.0.110:125 inet n - - - - smtpd
            -o syslog_name=frominternet
            -o smtpd_proxy_filter=
            -o myhostname=Postfix-ASSP.amfeslan.local

            connect with Thunderbird to this address & port set to no encryption - works

            192.168.0.110:126 inet n - - - - smtpd
            -o smtpd_tls_security_level=may
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_client_restrictions=permit_sasl_authenticated,reject

            connect with Thunderbird to this address & port set to TLS - works. SSL
            does not.

            192.168.0.110:127 inet n - - - - smtpd
            -o smtpd_tls_security_level=encrypt
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_client_restrictions=permit_sasl_authenticated,reject

            connect with Thunderbird to this address & port set to TLS - works. SSL
            does not.

            By "SSL does not work" I mean:
            1. I see a connection in the Postfix log - but nothing further happens.
            2. Thunderbird works and works at sending ... and then times out with
            an error - "Sending of message failed".

            --
            Daniel
          • Victor Duchovni
            ... Why do you expect SMTP after SSL to work on a port that supports SSL after SMTP? http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode -- Viktor.
            Message 5 of 13 , Mar 2 11:41 AM
            • 0 Attachment
              On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:

              > 192.168.0.110:126 inet n - - - - smtpd
              > -o smtpd_tls_security_level=may
              > -o smtpd_sasl_auth_enable=yes
              > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
              >
              > connect with Thunderbird to this address & port set to TLS - works. SSL
              > does not.

              Why do you expect SMTP after SSL to work on a port that supports SSL
              after SMTP?

              http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode

              --
              Viktor.

              P.S. Morgan Stanley is looking for a New York City based, Senior Unix
              system/email administrator to architect and sustain our perimeter email
              environment. If you are interested, please drop me a note.
            • Daniel L. Miller
              ... Ok - inferring from that, I tried: 192.168.0.110:128 inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o
              Message 6 of 13 , Mar 2 12:30 PM
              • 0 Attachment
                Victor Duchovni wrote:
                > On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
                >
                >
                >> 192.168.0.110:126 inet n - - - - smtpd
                >> -o smtpd_tls_security_level=may
                >> -o smtpd_sasl_auth_enable=yes
                >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                >>
                >> connect with Thunderbird to this address & port set to TLS - works. SSL
                >> does not.
                >>
                >
                > Why do you expect SMTP after SSL to work on a port that supports SSL
                > after SMTP?
                >
                > http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
                >
                Ok - inferring from that, I tried:
                192.168.0.110:128 inet n - - - - smtpd
                -o smtpd_tls_wrappermode=yes
                -o smtpd_sasl_auth_enable=yes
                -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                Now connecting from Thunderbird SSL works - TLS does not. Just
                confirming - is this expected and proper behaviour?

                --
                Daniel
              • Victor Duchovni
                ... Yes, of course. SSL after SMTP won t work with a service that runs SMTP after SSL. The SMTP inside SSL service and SSL inside SMTP services are not
                Message 7 of 13 , Mar 2 12:42 PM
                • 0 Attachment
                  On Tue, Mar 02, 2010 at 12:30:21PM -0800, Daniel L. Miller wrote:

                  > Ok - inferring from that, I tried:
                  > 192.168.0.110:128 inet n - - - - smtpd
                  > -o smtpd_tls_wrappermode=yes
                  > -o smtpd_sasl_auth_enable=yes
                  > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                  >
                  > Now connecting from Thunderbird SSL works - TLS does not. Just confirming
                  > - is this expected and proper behaviour?

                  Yes, of course. SSL after SMTP won't work with a service that runs SMTP
                  after SSL. The "SMTP inside SSL" service and "SSL inside SMTP" services
                  are not inter-operable and cannot be deployed on the same port.

                  The "SMTP over SSL" service (wrappermode=yes) is a legacy non-standard
                  service and should be phased out once all clients support "SSL over SMTP"
                  (aka STARTTLS).

                  --
                  Viktor.

                  P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                  system/email administrator to architect and sustain our perimeter email
                  environment. If you are interested, please drop me a note.
                • Noel Jones
                  ... Yes, that s expected. SSL wrappermode is incompatible with standard SMTP or STARTTLS. Typically wrappermode is specified only on port 465, which is
                  Message 8 of 13 , Mar 2 1:12 PM
                  • 0 Attachment
                    On 3/2/2010 2:30 PM, Daniel L. Miller wrote:
                    > Victor Duchovni wrote:
                    >> On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
                    >>
                    >>> 192.168.0.110:126 inet n - - - - smtpd
                    >>> -o smtpd_tls_security_level=may
                    >>> -o smtpd_sasl_auth_enable=yes
                    >>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                    >>>
                    >>> connect with Thunderbird to this address & port set to TLS - works.
                    >>> SSL does not.
                    >>
                    >> Why do you expect SMTP after SSL to work on a port that supports SSL
                    >> after SMTP?
                    >>
                    >> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
                    > Ok - inferring from that, I tried:
                    > 192.168.0.110:128 inet n - - - - smtpd
                    > -o smtpd_tls_wrappermode=yes
                    > -o smtpd_sasl_auth_enable=yes
                    > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                    >
                    > Now connecting from Thunderbird SSL works - TLS does not. Just
                    > confirming - is this expected and proper behaviour?
                    >

                    Yes, that's expected. SSL wrappermode is incompatible with
                    standard SMTP or STARTTLS.

                    Typically wrappermode is specified only on port 465, which is
                    commonly referred to as the smtps port.

                    -- Noel Jones
                  Your message has been successfully submitted and would be delivered to recipients shortly.