iRedMail

SSL/TLS, STARTTLS General

> iRedMail > version 0.9.2 > SSL/TLS encryption, ssl, tls, startls, secure communication > SSL/TLS, STARTTLS General

Secure Email Communication in general

Please make sure you understand SSL, TLS, STARTLS and SSL/TLS Socket.

Overview

Protocol Plain Text STARTTLS SSL/TLS Socket Initiator
SMTP2525*465 (SMTPS)MTA
Submission587587-MSA
POP3110110995 (POP3S)MUA
IMAP143143993 (IMAPS)MUA

SMTPS on port 465 is depreciated and shouldn't be used anymore.

Authentication and port 587 are mandatory for Submission. Sometimes you read SMTP-Auth or ESMTPA (extended smtp auth)

STARTTLS

From Wikipedia: STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.

As an example we see here a SMTP communication with STARTTLS:

S: [waits for connection on TCP port 25]
C: [opens connection]
S: 220 mail.example.org ESMTP service ready
C: EHLO client.example.org
S: 250-mail.example.org offers a warm hug of welcome
S: 250 STARTTLS  <-- Server offers STARTTLS
C: STARTTLS  <-- Client asks for STARTTLS
S: 220 Go ahead
C: [starts TLS negotiation]
C & S: [negotiate a TLS session]
C & S: [check result of negotiation]
C: EHLO client.example.org  <--- from here secure channel
  . . .

Please note that communication starts in plain text. After the client asks for STARTTLS the server and client negotiate a SSL/TLS session. Once this is done further communication is secured and not plain text anymore.

Many protocols are aware of STARTTLS: IMAP, POP3, SMTP, XMPP, LDAP, NNTP, FTP.

SSL/TLS Socket

The TCP socket connection is SSL/TLS encrypted from the beginning. A server has to listen on a specific port for each protocol.

SSL/TLS Socket or STARTTLS?

I read a few times that STARTTLS is to prefer over SSL/TLS Socket connection. In my opinion SSL/TLS Socket connection is more secure. STARTTLS is vulnerable for man in the middle attacks. Your mail program could even send password in clear text over TCP port 110 & 143 and you are not aware of it.

On the other hand some devices connect without any problems with STARTTLS but don't accept self signed certificate with SSL/TLS Socket .

SSL/TLS Certificate

SSL/TLS Socket and STARTTLS need a SSL/TLS certificate, only one for all encryptions and programs. As with https we can use a self signed certificate but you will get annoying messages in every program about "invalid certificate". Again, you need only one certificate for your domain and you can used it for SSL/TLS Socket AND STARTTLS in apache, postfix, dovecot...