Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5
On Thu, October 25, 2018 2:24 am, Raf Czlonka wrote: > On Thu, Oct 25, 2018 at 07:11:47AM BST, Gilles Chehade wrote: >> >> smtpd will _always_ display a 'starttls' log line when the TLS channel >> starts, >> disregarding if TLS was started at connect time (smtps) or within the >> protocol >> (smtp+tls, or even smtp since it does opportunistic tls). >> > > I guess this is the confusing bit - seeing 'starttls' in the log > file and thinking 'STARTTLS', i.e. the "TLS upgrade". > > R. > Yes, I mistakenly assumed that where it didn't log "starttls" it wasn't using STARTTLS and therefore using TLS and where it did log "starttls" meant it was using STARTTLS. Silly me. :P Unfortunatly I also didn't know which my ISP was actually using since before, with secure:// it would try both and always sent mail. I should have figured out what I was dealing with first.
Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5
On Thu, Oct 25, 2018 at 07:24:33AM +0100, Raf Czlonka wrote: > On Thu, Oct 25, 2018 at 07:11:47AM BST, Gilles Chehade wrote: > > > > smtpd will _always_ display a 'starttls' log line when the TLS channel > > starts, > > disregarding if TLS was started at connect time (smtps) or within the > > protocol > > (smtp+tls, or even smtp since it does opportunistic tls). > > > > I guess this is the confusing bit - seeing 'starttls' in the log > file and thinking 'STARTTLS', i.e. the "TLS upgrade". > yes, maybe it should just display 'tls' instead of 'starttls' -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5
On Thu, Oct 25, 2018 at 07:11:47AM BST, Gilles Chehade wrote: > > smtpd will _always_ display a 'starttls' log line when the TLS channel starts, > disregarding if TLS was started at connect time (smtps) or within the protocol > (smtp+tls, or even smtp since it does opportunistic tls). > I guess this is the confusing bit - seeing 'starttls' in the log file and thinking 'STARTTLS', i.e. the "TLS upgrade". R.
Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5
On Mon, Oct 22, 2018 at 08:37:25PM -0400, trondd wrote: > Unless I'm confused, it seems the description of the smarthosts smtps and > smtp+tls are revered in the smtpd.conf man page. > You are confused ;-) > My log seemed to back this up. When using smtp+tls, which the man page said > uses STARTTLS but seems to actually use TLS which my ISP does not: > > Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connecting > address=smtp+tls://68.87.20.6:465 host=omta-ch2.sys.comcast.net > Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connected > Oct 21 21:43:59 ember smtpd[41596]: ca9dba5e7f80e6ca mta error > reason=Connection closed unexpectedly > You are mistaking smtps and smtp+tls: In an smtps session, the TLS negotation takes place during the connection so client and server are already in a secure channel when the SMTP session gets started. In a smtp+tls session, the TLS negotiation takes place after the session has started in plaintext through the use of the STARTTLS SMTP extension. In your example here, you are using smtp+tls on a host that expects smtps so the TLS negotation can't play out and you're kicked out. > And with smtps, which the man page said uses TLS, logs show STARTTLS: > > Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connecting > address=smtps://68.87.20.6:465 host=omta-ch2.sys.comcast.net > Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connected > Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta starttls > ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 > Oct 21 22:02:06 ember smtpd[66745]: smtp-out: Server certificate verification > succeeded on session a9193b70dbc40df0 > TLS and STARTTLS are essentially the same as far as you're concerned. smtpd will _always_ display a 'starttls' log line when the TLS channel starts, disregarding if TLS was started at connect time (smtps) or within the protocol (smtp+tls, or even smtp since it does opportunistic tls). The only issue here is that you attempted to connect in plaintext then upgrade a session on a host that didn't speak plaintext and expected sessions to speak TLS from the start. -- Gilles Chehade https://www.poolp.org @poolpOrg
Fix descriptions of smtps vs smtp+tls in smtpd.conf.5
Unless I'm confused, it seems the description of the smarthosts smtps and smtp+tls are revered in the smtpd.conf man page. My log seemed to back this up. When using smtp+tls, which the man page said uses STARTTLS but seems to actually use TLS which my ISP does not: Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connecting address=smtp+tls://68.87.20.6:465 host=omta-ch2.sys.comcast.net Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connected Oct 21 21:43:59 ember smtpd[41596]: ca9dba5e7f80e6ca mta error reason=Connection closed unexpectedly And with smtps, which the man page said uses TLS, logs show STARTTLS: Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connecting address=smtps://68.87.20.6:465 host=omta-ch2.sys.comcast.net Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connected Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 Oct 21 22:02:06 ember smtpd[66745]: smtp-out: Server certificate verification succeeded on session a9193b70dbc40df0 A diff to swap the descriptions and reorder to group STARTLS and TLS smarthosts together. Tim. Index: smtpd.conf.5 === RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.206 diff -u -p -r1.206 smtpd.conf.5 --- smtpd.conf.58 Oct 2018 06:10:17 - 1.206 +++ smtpd.conf.522 Oct 2018 23:52:25 - @@ -244,14 +244,14 @@ The following protocols are available: .It smtp Normal SMTP session with opportunistic STARTTLS (the default). -.It smtp+tls +.It smtps Normal SMTP session with mandatory STARTTLS. +.It smtp+tls +SMTP session with forced TLS on connection. .It smtp+notls Plain text SMTP session without TLS. .It lmtp LMTP session. -.It smtps -SMTP session with forced TLS on connection. .El .Pp The