Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: philbrearley on June 26, 2014, 05:11:28 PM

Title: TLS encryption between two mail gateway servers
Post by: philbrearley on June 26, 2014, 05:11:28 PM

I have been requested to implement a forced/required TLS encrypted mail connection between an external server and my clients SME 8.1 server.
I have created a new five year certificate on my clients SME server 8.1
 
I believe we use qmail with qpsmtpd but have very little understanding.
 
Does anyone know what else I may have to do

Many thanks in advance,

Phil

Title: Re: TLS encryption between two mail gateway servers
Post by: mmccarn on June 27, 2014, 02:36:31 PM

SME server's qpsmtpd instance will offer TLS encryption for in-bound email streams, but I don't see (via google) any obvious way to *force* it.

Perhaps the sending organization could configure an SMTP route at their end that uses smtps on port 465 for email addressed to your domains.  (This might require them to configure a 'smart host' with some authentication).

Otherwise, it looks like you'll need to find or write a qpsmtpd plugin to drop unencrypted connections:

Quote from: perldoc /usr/share/qpsmtpd/plugins/tls

       If TLS is successfully negotiated then the "tls_enabled" field in the Connection notes is set. If you wish
       to make TLS mandatory you should check that field and take appropriate action. Note that you can only do
       that from MAIL FROM onwards.

Title: Re: TLS encryption between two mail gateway servers
Post by: CharlieBrady on June 27, 2014, 06:13:59 PM

Quote from: philbrearley on June 26, 2014, 05:11:28 PM

I have been requested to implement a forced/required TLS encrypted mail connection between an external server and my clients SME 8.1 server.

Only the administrators of the external server can ensure that that server uses TLS when it connects to your client's server.

Your client's server already offers TLS on the smtps port (port 465) and on port 25 after the 'STARTTLS' command - the external server can choose to use those features.

Title: Re: TLS encryption between two mail gateway servers
Post by: philbrearley on June 27, 2014, 11:48:21 PM

Thanks for your input guys.

I will update once the external administrator has made the changes at their end and we can send some test mails.

Phil

Title: Re: TLS encryption between two mail gateway servers
Post by: bunkobugsy on June 30, 2014, 01:48:53 PM

Quick question though: how about the other way around?
Does qpsmtpd use encryption on out-bound email if available?

Title: Re: TLS encryption between two mail gateway servers
Post by: Daniel B. on June 30, 2014, 03:01:06 PM

qpsmtpd doesn't handle outbound mail, only inbound. Qmail is responsible for sending. Qmail itself doesn't support TLS AFAIK, but you should be able to achieve what you want with the smtp-auth-proxy. Maybe you'll need to adjust it to force TLS, I'm not sure. See /usr/local/sbin/smtp-auth-proxy.pl

Title: Re: TLS encryption between two mail gateway servers
Post by: CharlieBrady on June 30, 2014, 03:25:04 PM

Quote from: Daniel B. on June 30, 2014, 03:01:06 PM

Qmail itself doesn't support TLS AFAIK,

It doesn't.

Quote

but you should be able to achieve what you want with the smtp-auth-proxy. Maybe you'll need to adjust it to force TLS, I'm not sure.

If you configure SME to use a SmartHost on port 465, TLS will be used. But that is only the first hop (your server to the SmartHost, i.e. your ISP). You have no control over whether TLS will be used for subsequent hops during delivery.

If you want to be sure that end to end encryption is used, then you'll need to do the encryption in the sender and recipient mail clients - e.g. using PGP.