Manuel Schneider writes:
Dear all,I am trying to understand the SSL/TLS settings in Courier better so I can make informed changes. This is what I found out so far - please tell me if I was making wrong assumptions, also there are a few things which are unclear to me: courierd: - looks to me to be part of the "output" modules, submitting mails to the right place - eg. maildir but also to other SMTP servers. (?) * TLS settings in courierd are for setting how courierd acts as an TLS client?
Yes, namely ESMTP client.
* TLS_PROTOCOL sets the protocol for STARTTLS? * does courierd do any delivery to SSL ports - if yes, does it just use the same settings for STARTTLS?
Yes, if configured manually to do so, via esmtproutes.
esmtpd: - input module, SMTP server without SSL - STARTTLS is enabled as an "encryption upgrade" after plaintext connection * TLS_PROTOCOL sets the protocol for STARTTLS?
Right.
esmtpd-ssl: - input module, SMTP server with SSL * ESMTPDSSLSTART defines whether this demon starts at all (port 465)
If the stock startup scripts are used.
* ESMTPDSTARTTLS defines whether we allow STARTTLS or not - that doesn't make sense to me, when this demon is SSL-enabled already on connect. Is this setting meant for the plain-text esmtd on port 25?
I do not see such setting anywhere.
* TLS_PROTOCOL sets the protocol for SSL encryption on connection? * TLS_STARTTLS_PROTOCOL sets the protocol for STARTTLS - again, that only makes sense on the regular esmtpd
Right.
esmtpd-msa: - input module, seperate SMTP server * has no TLS settings at all but offers STARTTLS - so it seem to act like regular esmtpd - but where does it get that setting?
If you look at the startup script, the esmtpd-msa startup script reads the esmtpd configuration file, followed by the esmtpd-msa configuration file.
Two more general question: 1) SSL3 + TLS * STARTTLS, I assume supports only TLS1+ - no SSL3, is that correct? * can we assume that a client which issues STARTTLS doesn't try to use SSL3? * is there a way to set the TLS_PROTOCOL for *-ssl to allow both SSL3 and TLS1, but no SSL2?
All of that depends on the protocol setting, and whether Courier is build against OpenSSL or GnuTLS. TLS_PROTOCOL is used with OpenSSL only; and it looks like SSL23 also includes TLS1.
With GnuTLS, the selected protocol is controled by the TLS_PRIORITY setting. GnuTLS's documentation that applicable here is http://manpages.courier- mta.org/htmlman3/gnutls_priority_init.3.html
pgpjSrYhNrMjl.pgp
Description: PGP signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
