Hi,
Hope I can find some help in here, in trying to understand how SMTP and TLS security should be setup.
My intention is to setup a simple email server for personal use. I'll setup two machines, on different places, on primary MX and a secondary (backup) one.
So for now, a simple test, with a single MX record and a small test server:
1. Setup a mail server, with SMTP listening on port 25;
2. Created a self signed certificate, and keystore'd it with a password;
3. Setup SMTP service to "EnableTLS", and "RequireTLS" settings;
4. Setup my router to deliver port 25 TCP traffic to the test server;
My intentions are to have a personal mail server, where the emails are delivered to 1-2 mailboxes, using TLS for security. That is, I want to be sure the emails are delivered securely on my server (although they might be floating around the web, with no security restrictions).
For the server software I used "Mireka" http://code.google.com/p/mireka/, an open source server made in java. I enjoyed the simple configuration, and the simplicity. Being a java developer myself, I see the potential to evolve the software to my needs, present and future ones.
So in my tests, I used telnet, openssl and an external "outlook.com" (hotmail-based?) account, sending mails as described in the following scenarios:
# Scenario-A
Without "RequireTLS" setting from server, sent an email to a test mailbox, with SUCCESS (Expected).
Using telnet to port 25 displayed "250-STARTTLS" after EHLO, but I didn't execute that command, so I assume no encryption was in place for receiving mail.
# Scenario-B
With "RequireTLS" setting on server, sent an email to a test mailbox, with FAILURE (Expected).
Using the same approach telnet to port 25 displayed "250-STARTTLS" after EHLO.
After sending "MAIL TO" I received the "530 Must issue a STARTTLS command first", which means the server requests TLS to proceed, making sure security encryption will be in place for message delivery.
# Scenario-C
With "RequireTLS" setting on server, sent an email to a test mailbox, with SUCCESS (Expected).
Using "openssl s_client -starttls smtp -connect ..." will connect, issue a STARTTLS and complete the proper handshake.
Issuing the required SMTP commands, I was able to send a message, and so assuming security encryption was in place, as I want it.
Now for the confusing part ...
# Scenario-D
Sending from an external email service will FAIL (Not Expected)
I went to an "outlook.com" (hotmail-based?) account, and sent emails from there, with "RequireTLS" setting on server.
The mails are returned, and on the server side I can check on the logs that STARTTLS is not called from the client side (some hotmail sender), so a "530 Must issue a STARTTLS command first" is returned and the connection refused.
If I remove "RequireTLS" setting, the emails are delivered, but no STARTTLS is called, hence no security encryption is applied.
So I'm a bit confused as how this should be setup to work:
1. Shouldn't STARTTLS be issued when it is available, or at least when a "530" is returned, requesting for a STARTTLS?
2. The MX record is defined, and I have port 25 configured for external access. This port is called as it is the default port for MX entries, but should I set port 465 instead (deactivating 25) so that external connections will know and force SSL/TLS?
Any help appreciated, any tips are welcomed.
Thanks.
Hope I can find some help in here, in trying to understand how SMTP and TLS security should be setup.
My intention is to setup a simple email server for personal use. I'll setup two machines, on different places, on primary MX and a secondary (backup) one.
So for now, a simple test, with a single MX record and a small test server:
1. Setup a mail server, with SMTP listening on port 25;
2. Created a self signed certificate, and keystore'd it with a password;
3. Setup SMTP service to "EnableTLS", and "RequireTLS" settings;
4. Setup my router to deliver port 25 TCP traffic to the test server;
My intentions are to have a personal mail server, where the emails are delivered to 1-2 mailboxes, using TLS for security. That is, I want to be sure the emails are delivered securely on my server (although they might be floating around the web, with no security restrictions).
For the server software I used "Mireka" http://code.google.com/p/mireka/, an open source server made in java. I enjoyed the simple configuration, and the simplicity. Being a java developer myself, I see the potential to evolve the software to my needs, present and future ones.
So in my tests, I used telnet, openssl and an external "outlook.com" (hotmail-based?) account, sending mails as described in the following scenarios:
# Scenario-A
Without "RequireTLS" setting from server, sent an email to a test mailbox, with SUCCESS (Expected).
Using telnet to port 25 displayed "250-STARTTLS" after EHLO, but I didn't execute that command, so I assume no encryption was in place for receiving mail.
# Scenario-B
With "RequireTLS" setting on server, sent an email to a test mailbox, with FAILURE (Expected).
Using the same approach telnet to port 25 displayed "250-STARTTLS" after EHLO.
After sending "MAIL TO" I received the "530 Must issue a STARTTLS command first", which means the server requests TLS to proceed, making sure security encryption will be in place for message delivery.
# Scenario-C
With "RequireTLS" setting on server, sent an email to a test mailbox, with SUCCESS (Expected).
Using "openssl s_client -starttls smtp -connect ..." will connect, issue a STARTTLS and complete the proper handshake.
Issuing the required SMTP commands, I was able to send a message, and so assuming security encryption was in place, as I want it.
Now for the confusing part ...
# Scenario-D
Sending from an external email service will FAIL (Not Expected)
I went to an "outlook.com" (hotmail-based?) account, and sent emails from there, with "RequireTLS" setting on server.
The mails are returned, and on the server side I can check on the logs that STARTTLS is not called from the client side (some hotmail sender), so a "530 Must issue a STARTTLS command first" is returned and the connection refused.
If I remove "RequireTLS" setting, the emails are delivered, but no STARTTLS is called, hence no security encryption is applied.
So I'm a bit confused as how this should be setup to work:
1. Shouldn't STARTTLS be issued when it is available, or at least when a "530" is returned, requesting for a STARTTLS?
2. The MX record is defined, and I have port 25 configured for external access. This port is called as it is the default port for MX entries, but should I set port 465 instead (deactivating 25) so that external connections will know and force SSL/TLS?
Any help appreciated, any tips are welcomed.
Thanks.