[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS smpt encryption
From: |
Simon Josefsson |
Subject: |
Re: TLS smpt encryption |
Date: |
Mon, 11 Sep 2006 16:00:14 +0200 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux) |
Phillip Lord <address@hidden> writes:
>>>>>> "SJ" == Simon Josefsson <address@hidden> writes:
>
>
> >> First, the defaults. To use TLS, you have to reconfigure things
> >> like the ports manually, and have to do so in multiple places.
>
> SJ> The supported way to use TLS is NOT to use another port.
>
> SJ> The recommended practice since 1999, and probably before that,
> SJ> when RFC 2487 came out, is to use port 25 and use STARTTLS on
> SJ> that port.
>
> I am sure that you are correct about the RFC's. Maybe, you are correct
> about peoples use of ports as well, I don't know as I have a limited
> number of mail servers to try out on. All I can say is that anything
> which makes the task of connecting easier, including best guess
> hueristics on port numbers.
Right.
> SJ> Typically, no.
>
> >> So you have to change this. But this is done in
> >> smtpmail-smtp-service. The 25's in auth-credentials are only used
> >> to determine which credentials should be used.
>
> SJ> Right, and you could have multiple credentials, for different
> SJ> ports.
>
> Of course, I understand that the system as you have it set up offers
> more flexibility and that this is a good thing. However, the
> duplication of port numbers in general is confusing. You have said,
> after all, that in general people use the same port.
Yup.
> >> Confusing. I don't know what the standards are, but most mail
> >> readers you just click "SSL/TLS encryption" and the ports get
> >> set, or guessed, automatically.
>
> SJ> Again, most programs use the same port.
>
> >> Second, the documentation. Take...
> >>
> >> ;;(setq smtpmail-starttls-credentials
> >> ;; '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key"
> >> ;; "~/.my_smtp_tls.cert")))
> >>
> >>
> >> So, whats .my_smtp_tls.key then? Where does it come from? How do
> >> I get it? Can I use gnutls to generate it? I have no idea at
> >> all. Further investigation suggests that actually you can leave
> >> this blank, and it should still work.
>
> SJ> Did you read the Emacs SMTP Manual? An old copy is available
> SJ> from:
>
> SJ> http://josefsson.org/smtpmail.html
>
> Yes. My comments about the documentation come as a result of reading
> it. I would not have commented on had I not done so. From my reading
> of this what the certificates used in smtpmail-starttls-credentials
> actually are is not described. Hence the confusion.
Ok. A complete discussion of X.509 and certificates (a complex
topic!) is not appropriate, but a shorter explanation may be useful.
Patches welcome...
> SJ> But it is also part of Emacs.
>
> SJ> If you don't have a X.509 certificate/key pair, you can leave
> SJ> those fields empty. You can generate them using GnuTLS, but you
> SJ> need the server admin to recognize your certificate as well.
> SJ> Typically you don't need client authentication using TLS.
>
> SJ> The documentation for the variable seem sub-optimal here, so I
> SJ> have installed this change:
>
> SJ> --- smtpmail.el 15 Feb 2006 10:22:36 +0100 1.84
> SJ> +++ smtpmail.el 06 Sep 2006 11:07:47 +0200
> SJ> @@ -176,7 +176,12 @@
> SJ> (defcustom smtpmail-starttls-credentials '(("" 25 "" ""))
> SJ> "Specify STARTTLS keys and certificates for servers.
> SJ> This is a list of four-element list with `servername' (a
> SJ> string),
> SJ> -`port' (an integer), `key' (a filename) and `certificate' (a
> SJ> filename)." +`port' (an integer), `key' (a filename) and
> SJ> `certificate' (a +filename). +If you do not have a
> SJ> certificate/key pair, leave the `key' and +`certificate' fields
> SJ> as `nil'. A key/certificate pair is only +needed if you want to
> SJ> use X.509 client authenticated +connections."
> SJ> :type '(repeat (list (string :tag "Server")
> SJ> (integer :tag "Port") (file :tag "Key")
>
>
> Thank you, this is much clear.
Ok.
> >> Third, it would be nice if the documentation made clear that
> >> "TLS" appears to be the same thing as "SSL" -- at least in the
> >> context of SMTP servers. I was under the impression for a number
> >> of months that I could not use encryption for SMTP as our local
> >> server requires SSL, which smtpmail doesn't do. Actually, it uses
> >> TLS. Some documentation saying "if you are required to use SSL,
> >> this is probably what you want".
>
> SJ> SSL is an earlier version of TLS, but they are compatible. SMTP
> SJ> uses TLS, but people often incorrect call it SSL. I modified
> SJ> the Emacs SMTP Manual to mention SSL:
>
> SJ> Index: smtpmail.texi
> SJ> ===================================================================
> SJ> RCS file: /sources/emacs/emacs/man/smtpmail.texi,v retrieving
> SJ> revision 1.13 retrieving revision 1.14 diff -u -p -r1.13 -r1.14
> SJ> --- smtpmail.texi 5 Feb 2006 22:41:31 -0000 1.13
> SJ> +++ smtpmail.texi 6 Sep 2006 09:10:43 -0000 1.14
> SJ> @@ -209,6 +209,8 @@ The following example illustrates what y
> SJ> @cindex CRAM-MD5 @cindex LOGIN @cindex STARTTLS
> SJ> address@hidden TLS address@hidden SSL
> SJ> Many environments require SMTP clients to authenticate
> SJ> themselves before they are allowed to route mail via a server.
> SJ> The two following variables contains the authentication
> SJ> information needed for this.
> SJ> @@ -220,10 +222,10 @@ that order if the server support both.
> SJ> The second variable, @code{smtpmail-starttls-credentials},
> SJ> instructs the SMTP library to connect to the server using
> SJ> STARTTLS. This means the protocol exchange may be integrity
> SJ> protected and confidential by
> SJ> -using TLS, and optionally also authentication of the client.
> SJ> This -feature uses the elisp package @file{starttls.el} (see it
> SJ> for more -information on customization), which in turn require
> SJ> that at least one -of the following external tools are
> SJ> installed: +using TLS, also known as SSL, and optionally also
> SJ> authentication of +the client. This feature uses the elisp
> SJ> package @file{starttls.el} +(see it for more information on
> SJ> customization), which in turn require +that at least one of the
> SJ> following external tools are installed:
>
> SJ> @enumerate @item
>
>
>
> I would modify this a bit -- TLS and SSL are not the same thing as you
> suggest. I would say explicitly what you have just described to me.
>
> This means the protocol exchange may be integrity protected and
> confidential by using TLS, and optionally also authentication of the
> client.
>
> TLS is a secure, encrypted communication method which is compatible
> with SSL. In most cases where the system admins say that "SSL is
> required", TLS will work.
I have installed this patch.
--- smtpmail.texi 06 Sep 2006 11:10:02 +0200 1.14
+++ smtpmail.texi 11 Sep 2006 15:53:01 +0200
@@ -214,6 +214,7 @@
Many environments require SMTP clients to authenticate themselves
before they are allowed to route mail via a server. The two following
variables contains the authentication information needed for this.
+
The first variable, @code{smtpmail-auth-credentials}, instructs the
SMTP library to use a SASL authentication step, currently only the
CRAM-MD5 and LOGIN mechanisms are supported and will be selected in
@@ -222,10 +223,17 @@
The second variable, @code{smtpmail-starttls-credentials}, instructs
the SMTP library to connect to the server using STARTTLS. This means
the protocol exchange may be integrity protected and confidential by
-using TLS, also known as SSL, and optionally also authentication of
-the client. This feature uses the elisp package @file{starttls.el}
-(see it for more information on customization), which in turn require
-that at least one of the following external tools are installed:
+using the Transport Layer Security (TLS) protocol, and optionally also
+authentication of the client and server.
+
+TLS is a security protocol that is also known as SSL, although
+strictly speaking, SSL is an older variant of TLS. TLS is backwards
+compatible with SSL. In most mundane situations, the two terms are
+equivalent.
+
+The TLS feature uses the elisp package @file{starttls.el} (see it for
+more information on customization), which in turn require that at
+least one of the following external tools are installed:
@enumerate
@item
> >> Finally, it doesn't seem to work on windows. I spent three hours
> >> with a debugger a couple of days ago -- I figured this was the
> >> only way to see if I had the configuration right. It appears that
> >> starttls.el uses Unix specific process handling, so won't work
> >> with NTEmacs. I've been told that you can get this working with
> >> cygwin by calling out to kill.exe which works around the
> >> problem. Bit ugly! I realise that fixing this properly may take
> >> some time, but updating the documentation would be relatively
> >> quick!
>
> SJ> I've seen it suggested that people have had success on Windows
> SJ> using the starttls binary instead of gnutls-cli. But I don't
> SJ> really know what works under Windows, so I don't know how to
> SJ> improve things here.
>
> The problem is with your process handling.
>
> (signal-process (process-id process) 'SIGALRM)
>
> wont work.
Why not? Wouldn't that a bug in NTEmacs?
> If you are using the cygwin gnutls, then this can be faked using
> "kill" directly, but NTEmacs cannot send this signal, at least to my
> knowledge.
If "kill" can do it, then probably NTEmacs could too. And NTEmacs
probably should do that, especially if `signal-process' doesn't do
anything useful at all under Windows. However, some NTEmacs person
should answer this.
> I might try starttls, but in general, its easier to have as few
> extraneous binaries as possible, hence the desire to use
>
> If TLS is compatible with SSL, would it not possible to use the SSL
> binaries. As I say, the IMAP code works fine using SSL?
IMAP uses the same library, starttls.el, as SMTP. So they are already
using the same tools. Btw, IMAP uses TLS, strictly speaking.
> >> At the moment, I have access to a non TLS based stream, but this
> >> isn't going to last for ever. I suspect that many people are in
> >> the same boat.
>
> SJ> Right. Many people have migrated to SMTP over TLS already.
>
>
> Yep. Once everwhere goes, I can no longer send email with emacs. I
> spent 6 months on outlook this year and the experience was, er, less
> than optimal, shall I say.
Many people have migrated to SMTP over TLS with Emacs too, I remember
writing the first support for this in Emacs around 2000 to 2001
somewhere, and many used it successfully even back then.
/Simon