Re: [Exim] doing SSL (not TLS) on a certain port

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Robert Evans
Dátum:  
Címzett: exim-users
Tárgy: Re: [Exim] doing SSL (not TLS) on a certain port
I've been looking at several clients with a view to implementing
authenticated email with TLS/SSL to protect the username/password
transmission.

So I can confirm that there are two types of TLS or SSL usage. As Philip
implies, one uses ordinary SMTP to negotiate the connection to
the mail server and than issues STARTTLS. The other encrypts the
entire transaction and expects the server to speak SSL straight away.

It looks to me that the convention is that connections to smtp port 25 can
 .    be unecrypted throughout (obviously)
 .    send EHLO unecrypted and then STARTTLS and then encrypt the rest
while connections on the smtps port 465 are encrypted throughout.


The first type (port 25 + STARTTLS) is used by Netscape 4.x, OE 5.5.
The second type (port 465, encrypted throughout) is used by OE 5.0
(and earlier?).

I'm going to use stunnel (like Marc) to listen on port 465 and make it
execute exim with -bs to deal with the authentication and deliver the mail.
(If you were expecting a large amount of traffic through this route,
having stunnel relay to port 25 might be more efficient).

OE 5.0 is happy talking to this and non SSL-aware clients can also
use it via stunnel on the client machine.

Whether we want Exim to handle smtps (as described above) internally,
I'm not so sure.
I prefer to glue stunnel on the front to deal with it since it
makes it clearer to see what's going on. Also, perhaps OE 5.5
now using the port 25 + STARTTLS method is a sign that smtps
is on its way out.

Robert Evans

>
> On Tue, 6 Feb 2001, Marc MERLIN wrote:
>
> > I still need to use stunnel for listening on the ssmtp port (465/tcp)

and
> > forward connections to exim after doing SSL for it.
> > Would it be possible to have a ssl_listen_on directive which adds a

port
> > exim needs to listen on, but in SSL mode (i.e. no TLS negociation).
>
> I don't understand how you can listen in SSL mode without TLS
> negotiation. How does it know what the cipher or the key is? Or do you
> mean without the STARTTLS command? The client just fires up an SSL
> session without asking? Is this before or after the initial banner is
> output? No doubt there is no document that specifies how this is
> supposed to work.
>
> > Yes, this is used by some clients, netscape 3 and outlook (I'm told)
>
> I'm not keen on adding standard-breaking code for old clients.
> Netscape 3 has been obsolete for quite some time, hasn't it?
>
> -- 
> Philip Hazel            University of Cambridge Computing Service,
> ph10@???      Cambridge, England. Phone: +44 1223 334714.

>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim

details at http://www.exim.org/ ##


--
mailto:Robert.Evans@cs.cf.ac.uk                      Tel:+44(0)29 2087 5518
http://www.cs.cf.ac.uk/People/Robert.Evans.html      Fax:+44(0)29 2087 4598
Dept of Computer Science, Cardiff University, PO Box 916, Cardiff, CF24 3XF


Cardiff University is the public name of the University of Wales, Cardiff,
a constituent institution of the University of Wales.