Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: hanscees on August 03, 2013, 10:03:56 PM
-
Hi,
with all the prism stuff going on sending and receiving email over ssl would be a good thing.
How is sme doing this at the moment?
Does the email server:
- accepts email form other servers over ssl?
- try to deliver its email to other servers first by using ssl?
I am quite sure you can pop your email over ssl.
Anybody knows?
-
Anybody knows?
Yes, Wki does (http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter1#Server_Features), depends what you want to cover. Email Client specific (http://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0)
-
hanscees
http://en.m.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
-
non of your answers help me of course. At least the first one is an attempt.
Let me explain:
Postfix can be configured to first try ssl when the mta sends email to another mta. If all smtp mta's would behave like that AND accept smtp via ssl/tls the internet would be a safer place with regard to user privacy:
Since governments can eavesdrop on smtp, but not on ssl/tls such a feature of the mta improves chances your email will not be monitored while travelling form MTA to MTA.
I thus was asking how does SME-server behave in this regard: does it use ssl between MTA's
Apparently the answer is NO, or I don't know.
thank you
-
accepts email form other servers over ssl?
Yes.
try to deliver its email to other servers first by using ssl?
In qeneral no. It will use SSL to the SmartHost if you have one, and configure port 465.
-
Yes.
In qeneral no. It will use SSL to the SmartHost if you have one, and configure port 465.
Thank you for the answer Charlie. While #prism news rocks the internet I would certainly prefer having a server that tries to deliver my email to other email servers without being eavesdropped upon. I also think that the linux community should uphold the long tradition of being safe for endusers.
Just my two cents. I aprececiate your hard work, it is not criticism. Just noticing that thinking about internet has changed here in Europe since #prism.
-
While #prism news rocks the internet I would certainly prefer having a server that tries to deliver my email to other email servers without being eavesdropped upon.
That would require a switch from qmail to something else, or very substantial changes to qmail. Neither is a trivial change.
I notice somebody has developed patches for qmail to allow it to do MTA-to-MTA encryption:
http://inoa.net/qmail-tls/
-
Note however that using TLS/SSL in the MTA isn't a silver bullet. You will have lots of disruption of mail delivery if you don't accept self-signed certs, but if you accept self-signed certs, then man-in-the-middle attacks become very simple, so your ISP (or somebody working with them) could crack open your email and read it.
If you care about secrecy of your email, do it end-to-end using PGP or S/MIME.
-
That would require a switch from qmail to something else, or very substantial changes to qmail. Neither is a trivial change.
I notice somebody has developed patches for qmail to allow it to do MTA-to-MTA encryption:
http://inoa.net/qmail-tls/
http://notes.sagredo.eu/node/84
-
Note however that using TLS/SSL in the MTA isn't a silver bullet. You will have lots of disruption of mail delivery if you don't accept self-signed certs,
Why is that? Are MTA admins lazy?
Man in the middle attack makes it difficult yes. Solution would mean to verify certificate in dns. Anyway, then it gets murky.
Some discussion about this subject here: http://serverfault.com/questions/315365/using-self-signed-ssl-for-mail
However, smtp over tls (apparently using port 25) might not be perfect, it might just be enough not to be eavesdropped upon, since that would mean a lot more preparation to listen in. But you are correct to assume it is not watertight.
Not accepting self-signed certificates might not be realistic.