dusko + mailserver + ssl   23

AUTH Command and its Mechanisms (PLAIN, LOGIN, CRAM-MD5) - SMTP Commands Reference
The AUTH command is an ESMTP command (SMTP service extension) that is used to authenticate the client to the server. The AUTH command sends the clients username and password to the e-mail server. AUTH can be combined with some other keywords as PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5 (e.g. AUTH LOGIN) to choose an authentication mechanism. The authentication mechanism chooses how to login and which level of security that should be used.

Below are the AUTH PLAIN, AUTH LOGIN and AUTH CRAM-MD5 commands/mechanisms described.

In the SMTP communication examples listed below the letters C and S are used to refer to the client and the server (C = Client, S = Server).
smtp  sendmail  mta  ssl  tls  mailserver  sysadmin 
25 days ago by dusko
Why STARTTLS? - The difference between using SMTP with STARTTLS and using SMTP over an SSL/TLS socket
As far as I understand service providers of text protocols (e.g. SMTP, LDAP, etc) can secure their protocol communication in one of two ways:

Method 1: Text protocol over a secure socket

You do **not** need explicit support in your client (being it e-mail, LDAP or whatever) to handle this scenario. You can simply wrap the traffic using an external tool such as stunnel (https://www.stunnel.org/).

Method 2: Text protocol with STARTTLS extension

STARTTLS on the other hand is something else. It is an extension to plain text protocols like SMTP that ‘switches’ the connection to a secure SSL/TLS encrypted channel after the initial handshake which happens unsecured. The client and the server starts out unsecured and if they both support the STARTTLS extension then they can switch to using secure connection …. still on the same socket. This allows the server to serve both secure and unsecure connection on the same listening socket.

Confusingly STARTTLS doesn’t actually imply use of TLS; it can just as well be SSL which is used for the encryption of the socket.

As this is an extension to the underlying protocol your client application (as well as the server for that matter) needs to explictly support the STARTTLS extension for this to work. (if e-mail client: must support ‘SMTP with STARTTLS extension‘, if LDAP client: must support ‘LDAP with STARTTLS extension‘, and so on).

What is the problem ?

The amount of documentation in e-mail client applications, SMTP servers, LDAP servers, MTAs (sendmail, postfix) that fail to adequately distinguish between these two methods is amazing!!

Which one to use ?

Both setups provide the same level of security, as far as I know. However officially (at least for protocols like SMTP and LDAP) the method (1) is now deprecated in favour of (2).

I kind of like (1) though because it is something that can be applied without concern for the underlying software. Perhaps I’m just old-fashioned. I don’t see the huge and absolutely must-have reason for why STARTTLS extension was invented. If it was such an important thing to have as part of the text protocol itself then I think the idea would have gone into the HTTP world as well. If HTTP world could live without it why was it so important to get STARTTLS into SMTP, LDAP, etc ? (actually the same thing was attempted in HTTP world via RFC2817 (http://tools.ietf.org/html/rfc2817) but unsurprisingly it has never really been used)

I have a feeling that I’ve either misunderstood something or missed something?
sendmail  mta  mailserver  smtp  ssl 
6 weeks ago by dusko
OpenBSD Email Server Setup
This Wiki page will walk through the setup of an OpenBSD Email Server. ---- The server will be built with: OpenSMTPD (http://www.opensmtpd.org/), LibreSSL (http://www.libressl.org/), spamd (http://www.openbsd.org/spamd), Dovecot (http://www.dovecot.org/), and DKIMproxy (http://dkimproxy.sourceforge.net/). ---- OpenSMTPD will be configured to: - Receive mail for Local User Accounts, - Receive mail for Virtual Domains, Provide Virtual Domain catch-all aliases for local user accounts, - Use SSL Cert Signed by a Personal Certificate Authority for SMTPS, - Use SSL Cert Signed by a Public Certificate Authority for STARTTLS, - Require STARTTLS for MTA-to-MTA Connections on Port 25, - Send Un-Signed email through dkimproxy_out Before Relay.
mail  mailserver  dovecot  openbsd  mta  bsd  smtp  opensmtpd  email  ssl  dkim 
april 2016 by dusko
Understanding And Troubleshooting Authentication Log Events
IMAP And Authenticated SMTP [SSL] Example ---- IMAP Test Via Telnet And Logging Events Of It - Proxy Included ---- IMAP Login Via Openssl - LOGIN TLS - Proxy Included (Another good example of this is at Access IMAP server from the command line using OpenSSL: http://delog.wordpress.com/2011/05/10/access-imap-server-from-the-command-line-using-openssl/) ---- Updated on Jul 13, 2015.
zimbra  mailserver  mail  email  ssl 
march 2016 by dusko
Simple Troubleshooting For SMTP Via Telnet And Openssl - Zimbra
Testing against port 25, port 465. ---- Updated on Jul 12, 2015.
mailserver  mail  email  zimbra  ssl  smtp  postfix  tls  sendmail 
june 2015 by dusko
Proper SSL Certificates for Postfix and Dovecot
So far you will have received warning on the SSL certificates you use for Postfix, Dovecot and the RoundCube email web interface. SSL/TLS is a great way to automatically encrypt the passwords between the email user and your mail server. So you want to have proper certificates. There are three ways you can handle your certificate:
mail  sysadmin  mailserver  smtp  email  ssl  imap 
june 2015 by dusko

Copy this bookmark: