Re: TLS smpt encryption

emacs-devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS smpt encryption

From:	Simon Josefsson
Subject:	Re: TLS smpt encryption
Date:	Mon, 11 Sep 2006 16:00:14 +0200
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)
Phillip Lord <address@hidden> writes:

>>>>>> "SJ" == Simon Josefsson <address@hidden> writes:
>
>
>   >> First, the defaults. To use TLS, you have to reconfigure things
>   >> like the ports manually, and have to do so in multiple places.
>
>   SJ> The supported way to use TLS is NOT to use another port.
>
>   SJ> The recommended practice since 1999, and probably before that,
>   SJ> when RFC 2487 came out, is to use port 25 and use STARTTLS on
>   SJ> that port.
>
> I am sure that you are correct about the RFC's. Maybe, you are correct
> about peoples use of ports as well, I don't know as I have a limited
> number of mail servers to try out on. All I can say is that anything
> which makes the task of connecting easier, including best guess
> hueristics on port numbers. 

Right.

>   SJ> Typically, no.
>
>   >> So you have to change this. But this is done in
>   >> smtpmail-smtp-service. The 25's in auth-credentials are only used
>   >> to determine which credentials should be used.
>
>   SJ> Right, and you could have multiple credentials, for different
>   SJ> ports.
>
> Of course, I understand that the system as you have it set up offers
> more flexibility and that this is a good thing. However, the
> duplication of  port numbers in general is confusing. You have said,
> after all, that in general people use the same port. 

Yup.

>   >> Confusing. I don't know what the standards are, but most mail
>   >> readers you just click "SSL/TLS encryption" and the ports get
>   >> set, or guessed, automatically.
>
>   SJ> Again, most programs use the same port.
>
>   >> Second, the documentation. Take...
>   >> 
>   >> ;;(setq smtpmail-starttls-credentials
>   >> ;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key"
>   >> ;;      "~/.my_smtp_tls.cert")))
>   >> 
>   >> 
>   >> So, whats .my_smtp_tls.key then? Where does it come from? How do
>   >> I get it? Can I use gnutls to generate it? I have no idea at
>   >> all. Further investigation suggests that actually you can leave
>   >> this blank, and it should still work.
>
>   SJ> Did you read the Emacs SMTP Manual?  An old copy is available
>   SJ> from:
>
>   SJ> http://josefsson.org/smtpmail.html
>
> Yes. My comments about the documentation come as a result of reading
> it. I would not have commented on had I not done so. From my reading
> of this what the certificates used in smtpmail-starttls-credentials
> actually are is not described. Hence the confusion. 

Ok.  A complete discussion of X.509 and certificates (a complex
topic!) is not appropriate, but a shorter explanation may be useful.
Patches welcome...

>   SJ> But it is also part of Emacs.
>
>   SJ> If you don't have a X.509 certificate/key pair, you can leave
>   SJ> those fields empty.  You can generate them using GnuTLS, but you
>   SJ> need the server admin to recognize your certificate as well.
>   SJ> Typically you don't need client authentication using TLS.
>
>   SJ> The documentation for the variable seem sub-optimal here, so I
>   SJ> have installed this change:
>
>   SJ> --- smtpmail.el 15 Feb 2006 10:22:36 +0100 1.84
>   SJ> +++ smtpmail.el 06 Sep 2006 11:07:47 +0200
>   SJ> @@ -176,7 +176,12 @@
>   SJ>  (defcustom smtpmail-starttls-credentials '(("" 25 "" ""))
>   SJ>    "Specify STARTTLS keys and certificates for servers.
>   SJ>  This is a list of four-element list with `servername' (a
>   SJ>  string),
>   SJ> -`port' (an integer), `key' (a filename) and `certificate' (a
>   SJ> filename)."  +`port' (an integer), `key' (a filename) and
>   SJ> `certificate' (a +filename).  +If you do not have a
>   SJ> certificate/key pair, leave the `key' and +`certificate' fields
>   SJ> as `nil'.  A key/certificate pair is only +needed if you want to
>   SJ> use X.509 client authenticated +connections."
>   SJ>    :type '(repeat (list (string :tag "Server")
>   SJ>                        (integer :tag "Port") (file :tag "Key")
>
>
> Thank you, this is much clear. 

Ok.

>   >> Third, it would be nice if the documentation made clear that
>   >> "TLS" appears to be the same thing as "SSL" -- at least in the
>   >> context of SMTP servers. I was under the impression for a number
>   >> of months that I could not use encryption for SMTP as our local
>   >> server requires SSL, which smtpmail doesn't do. Actually, it uses
>   >> TLS. Some documentation saying "if you are required to use SSL,
>   >> this is probably what you want".
>
>   SJ> SSL is an earlier version of TLS, but they are compatible.  SMTP
>   SJ> uses TLS, but people often incorrect call it SSL.  I modified
>   SJ> the Emacs SMTP Manual to mention SSL:
>
>   SJ> Index: smtpmail.texi
>   SJ> ===================================================================
>   SJ> RCS file: /sources/emacs/emacs/man/smtpmail.texi,v retrieving
>   SJ> revision 1.13 retrieving revision 1.14 diff -u -p -r1.13 -r1.14
>   SJ> --- smtpmail.texi 5 Feb 2006 22:41:31 -0000 1.13
>   SJ> +++ smtpmail.texi 6 Sep 2006 09:10:43 -0000 1.14
>   SJ> @@ -209,6 +209,8 @@ The following example illustrates what y
>   SJ>  @cindex CRAM-MD5 @cindex LOGIN @cindex STARTTLS
>   SJ> address@hidden TLS address@hidden SSL
>   SJ>  Many environments require SMTP clients to authenticate
>   SJ>  themselves before they are allowed to route mail via a server.
>   SJ>  The two following variables contains the authentication
>   SJ>  information needed for this.
>   SJ> @@ -220,10 +222,10 @@ that order if the server support both.
>   SJ>  The second variable, @code{smtpmail-starttls-credentials},
>   SJ>  instructs the SMTP library to connect to the server using
>   SJ>  STARTTLS.  This means the protocol exchange may be integrity
>   SJ>  protected and confidential by
>   SJ> -using TLS, and optionally also authentication of the client.
>   SJ> This -feature uses the elisp package @file{starttls.el} (see it
>   SJ> for more -information on customization), which in turn require
>   SJ> that at least one -of the following external tools are
>   SJ> installed: +using TLS, also known as SSL, and optionally also
>   SJ> authentication of +the client.  This feature uses the elisp
>   SJ> package @file{starttls.el} +(see it for more information on
>   SJ> customization), which in turn require +that at least one of the
>   SJ> following external tools are installed:
>  
>   SJ>  @enumerate @item
>
>
>
> I would modify this a bit -- TLS and SSL are not the same thing as you
> suggest. I would say explicitly what you have just described to me. 
>
> This means the protocol exchange may be integrity protected and
> confidential by using TLS, and optionally also authentication of the
> client.
>
> TLS is a secure, encrypted communication method which is compatible
> with SSL. In most cases where the system admins say that "SSL is
> required", TLS will work. 

I have installed this patch.

--- smtpmail.texi       06 Sep 2006 11:10:02 +0200      1.14
+++ smtpmail.texi       11 Sep 2006 15:53:01 +0200      
@@ -214,6 +214,7 @@
 Many environments require SMTP clients to authenticate themselves
 before they are allowed to route mail via a server.  The two following
 variables contains the authentication information needed for this.
+
 The first variable, @code{smtpmail-auth-credentials}, instructs the
 SMTP library to use a SASL authentication step, currently only the
 CRAM-MD5 and LOGIN mechanisms are supported and will be selected in
@@ -222,10 +223,17 @@
 The second variable, @code{smtpmail-starttls-credentials}, instructs
 the SMTP library to connect to the server using STARTTLS.  This means
 the protocol exchange may be integrity protected and confidential by
-using TLS, also known as SSL, and optionally also authentication of
-the client.  This feature uses the elisp package @file{starttls.el}
-(see it for more information on customization), which in turn require
-that at least one of the following external tools are installed:
+using the Transport Layer Security (TLS) protocol, and optionally also
+authentication of the client and server.
+
+TLS is a security protocol that is also known as SSL, although
+strictly speaking, SSL is an older variant of TLS.  TLS is backwards
+compatible with SSL.  In most mundane situations, the two terms are
+equivalent.
+
+The TLS feature uses the elisp package @file{starttls.el} (see it for
+more information on customization), which in turn require that at
+least one of the following external tools are installed:
 
 @enumerate
 @item

>   >> Finally, it doesn't seem to work on windows. I spent three hours
>   >> with a debugger a couple of days ago -- I figured this was the
>   >> only way to see if I had the configuration right. It appears that
>   >> starttls.el uses Unix specific process handling, so won't work
>   >> with NTEmacs. I've been told that you can get this working with
>   >> cygwin by calling out to kill.exe which works around the
>   >> problem. Bit ugly! I realise that fixing this properly may take
>   >> some time, but updating the documentation would be relatively
>   >> quick!
>
>   SJ> I've seen it suggested that people have had success on Windows
>   SJ> using the starttls binary instead of gnutls-cli.  But I don't
>   SJ> really know what works under Windows, so I don't know how to
>   SJ> improve things here.
>
> The problem is with your process handling. 
>
> (signal-process (process-id process) 'SIGALRM)
>
> wont work.

Why not?  Wouldn't that a bug in NTEmacs?

> If you are using the cygwin gnutls, then this can be faked using
> "kill" directly, but NTEmacs cannot send this signal, at least to my
> knowledge.

If "kill" can do it, then probably NTEmacs could too.  And NTEmacs
probably should do that, especially if `signal-process' doesn't do
anything useful at all under Windows.  However, some NTEmacs person
should answer this.

> I might try starttls, but in general, its easier to have as few
> extraneous binaries as possible, hence the desire to use
>
> If TLS is compatible with SSL, would it not possible to use the SSL
> binaries. As I say, the IMAP code works fine using SSL?

IMAP uses the same library, starttls.el, as SMTP.  So they are already
using the same tools.  Btw, IMAP uses TLS, strictly speaking.

>   >> At the moment, I have access to a non TLS based stream, but this
>   >> isn't going to last for ever. I suspect that many people are in
>   >> the same boat.
>
>   SJ> Right.  Many people have migrated to SMTP over TLS already.
>
>
> Yep. Once everwhere goes, I can no longer send email with emacs. I
> spent 6 months on outlook this year and the experience was, er, less
> than optimal, shall I say. 

Many people have migrated to SMTP over TLS with Emacs too, I remember
writing the first support for this in Emacs around 2000 to 2001
somewhere, and many used it successfully even back then.

/Simon
[Prev in Thread]
Current Thread
[Next in Thread]
TLS smpt encryption, Phillip Lord, 2006/09/04
- Re: TLS smpt encryption, Simon Josefsson, 2006/09/06
  - Re: TLS smpt encryption, Phillip Lord, 2006/09/06
    - Re: TLS smpt encryption, Simon Josefsson <=
    - Re: TLS smpt encryption, Phillip Lord, 2006/09/11
Prev by Date: discrepancy between read-key-sequence and manual
Next by Date: Re: Percent sign in message
Previous by thread: Re: TLS smpt encryption
Next by thread: Re: TLS smpt encryption
Index(es):
- Date
- Thread