Dear all,
I am trying to understand the SSL/TLS settings in Courier better so I
can make informed changes.
This is what I found out so far - please tell me if I was making wrong
assumptions, also there are a few things which are unclear to me:
courierd:
- looks to me to be part of the "output" modules, submitting mails to
the right place - eg. maildir but also to other SMTP servers. (?)
* TLS settings in courierd are for setting how courierd acts as an TLS
client?
* TLS_PROTOCOL sets the protocol for STARTTLS?
* does courierd do any delivery to SSL ports - if yes, does it just use
the same settings for STARTTLS?
esmtpd:
- input module, SMTP server without SSL - STARTTLS is enabled as an
"encryption upgrade" after plaintext connection
* TLS_PROTOCOL sets the protocol for STARTTLS?
esmtpd-ssl:
- input module, SMTP server with SSL
* ESMTPDSSLSTART defines whether this demon starts at all (port 465)
* ESMTPDSTARTTLS defines whether we allow STARTTLS or not - that doesn't
make sense to me, when this demon is SSL-enabled already on connect. Is
this setting meant for the plain-text esmtd on port 25?
* TLS_PROTOCOL sets the protocol for SSL encryption on connection?
* TLS_STARTTLS_PROTOCOL sets the protocol for STARTTLS - again, that
only makes sense on the regular esmtpd
esmtpd-msa:
- input module, seperate SMTP server
* has no TLS settings at all but offers STARTTLS - so it seem to act
like regular esmtpd - but where does it get that setting?
imapd/imapd-ssl and pop3d/pop3d-ssl seem to be the same way as
esmtpd-msa and esmtpd-ssl:
No TLS settings in the regular config file but STARTTLS active. The SSL
config file holds both regular SSL and STARTTLS settings.
Two more general question:
1) SSL3 + TLS
* STARTTLS, I assume supports only TLS1+ - no SSL3, is that correct?
* can we assume that a client which issues STARTTLS doesn't try to use SSL3?
* is there a way to set the TLS_PROTOCOL for *-ssl to allow both SSL3
and TLS1, but no SSL2?
Currently I use TLS_PROTOCOL=TLS1 and a set of ciphers which are meant
for both SSL3 and TLS1, because I want to offer at least some backwards
compatibility.
TLS1 works fine both on *-ssl and regular with STARTTLS (testing with
openssl s_client).
SSL3 doesn't work at all:
#> openssl s_client -connect mail.wikimedia.ch:465 -ssl3
CONNECTED(00000003)
3074463368:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1256:SSL alert number 40
3074463368:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:596:
The ciphers I use are the same I use for the webserver, which I have
tested thoroughly:
#> openssl s_client -connect wikimedia.ch:443 -ssl3
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
[...]
---
SSL handshake has read 3935 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
[...]
SSLProtocol is "ALL -SSLv2"
2) STARTTLS vs. SSL-enabled demons
Is there a best practice or similar whether I should run an *-ssl demon
or only use the regular demon with STARTTLS?
* supposedly I could force my users to encryption by NOT running any
non-ssl demons but I guess I would get into trouble doing so
* using STARTTLS only seems to be convenient because it saves me from
running another set of demons and people wouldn't have to worry about
port settings etc.
Thanks for your inputs!
Best regards,
Manuel
--
Wikimedia CH - Verein zur Förderung Freien Wissens
Lausanne, +41 (21) 34066-22 - www.wikimedia.ch
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
