On 1/25/2010 7:56 AM, Jelle de Jong wrote:
Does somebody know the differences between using SSL over port 465 and
TLS over port 25 in the settings for the Debian icedove MUA? (I want
to make postfix use port 465 for its smtp auth mailrelaying)
There's some overlap of terms here -- it's understandable to
be confused.
First, SSL vs. TLS can refer to the encryption standard. SSL
is the name first used for https: web encryption. As the
protocol matured and became a standard, it was renamed to TLS.
Secondly, SSL vs. TLS can refer to *when* the encryption takes
place. The older SSL was commonly (at first, only) used as a
"wrapper"; the encrypted tunnel was established before any
other communication took place, and the communications were
wrapped in the encryption protocol. Newer TLS allows a
standard connection to be made, then request an encrypted
tunnel be created. This allows both encrypted and
non-encrypted traffic to co-exist on the same port.
With email, SSL usually refers to wrapper mode SSL over port
465 -- negotiate the encrypted connection before sending any
data. This was never a standard protocol, and has been
deprecated for many years. And even though it's called SSL it
commonly uses the newer TLS encryption.
So most mail clients expect wrapper mode when you click the
"SSL" box, but will have a separate "TLS" or "encrypt this
connection" box to enable standard STARTTLS support. It
doesn't help that everyone seems to call it something different.
Some older mail programs only support wrapper mode SSL, so the
postfix smtpd server can receive mail from such clients with
the "-o smtpd_tls_wrappermode=yes" option in master.cf on a
dedicated port, commonly 465. The postfix default master.cf
includes a commented-out entry for this.
http://www.postfix.org/TLS_README.html#server_enable
The postfix smtp client does not support sending mail using
the deprecated wrapper mode. If postfix must send mail to an
antique server that only supports wrapper mode, you can use
stunnel to create a wrapper. An example is in the documentation:
http://www.postfix.org/TLS_README.html#client_smtps
TLS over port 25 or 587 establishes a normal SMTP connection
and then issues the STARTTLS command (usually as the first
command sent) to establish encryption. This is fully
supported by postfix, and by virtually all other modern mail
software. And even though it's called TLS, clients are still
allowed to use older SSL encryption.
Documentation here: http://www.postfix.org/TLS_README.html
-- Noel Jones
