I should have said essentially the same. I was trying to keep it simple,
not to misinform. At the time TLS was being standardized, there were
issues with RSA being under patent, DES which was never considered
secure, and 512 key lengths which really shouldn't be used nowadays.
OTOH the really long ones are too slow. And, as you mentioned, with TLS
the hosts attempt to find common ground before going into an encrypted
connection. I don't know about the port thing. SSL on port 25 works fine.
Eric "Shubes" wrote:
> Ben Mills wrote:
>> TLS is SSL.
Sorta kinda. ;) They're both encrypted connections, but they're just a tad
different in the way they're initiated. In simple terms, with SSL a
dedicated port is used strictly for encrypted communications, and all
traffic on the port is encrypted. With TLS, a 'normal' port can be used,
because a session begins unencrypted, each end negotiates an encrypted
session (STARTTLS), and communication continues encrypted from that point
on. At least that's my understanding.
By default your toaster should attempt attempt an encrypted
connection every time it connects to a foreign host.
That's good to know. I'd like to verify this some time. It'd be nice if
there was a log message for encrypted smtp connections so it'd be easy to
tell what's encrypted and what isn't.
I believe I can setup some verbose logging which will prove, at least on
this server, that it does attempt TLS.
To go further, you
may wish to use SSL between your server and its clients.
This is highly recommended, as otherwise the user's passwords are sent in
the clear.
POP3 SSL (port
995) is ready to go with the default build of toaster.
Works nicely. TLS does not work with pop3 at this time, but hopefully will
in the future.
But you need to
build a port 465 (smtp SSL) daemon, but its neither a daunting nor
difficult task.
This is not recommended. smtps port 465 (smtp over SSL) is deprecated, and
should only be used if absolutely necessary (a client cannot support TLS).
Use TLS instead.
I prefer port 465 and SSL for certain security related reasons. Mainly
because I have some users who can't seem to grasp the importance of
setting up their mail software correctly on 587.
A signed ssl certificate is pretty much required,
otherwise the client software will have a fit.
It's definitely simplest to have a certificate signed by a registered CA.
It's possible to self-sign a certificate for private use, but that's a
little beyond our scope here.
Anybody, correct me if I'm wrong. But that's about all there is to it.
As a geometry professor of mine once said, "if you understand it it's
trivial, if you don't it's not". ;)
We must have had the same teacher. In my case, everything is anything
but trivial. How's that for twisted logic? :)
Ben
Ben
Dan Herbon wrote:
Hello,
My company wants to establish Encrypted email for sensitive emails. I
found a company in which several banks use that offer Email
Encryption. I spoke with their tech guys and they said basically I
relay all email that leaves the server through their servers via “TLS
Encryption.” Has anyone out there in the toaster land had to do
anything like this with their toaster server? Please let me know if
you have any information. A lot of documents out there on TLS are a
little confusing.
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]