SSL/TLS vs STARTTLS
This seemed to be confusing at first but here is what it boils down to:With STARTTLS, an existing TCP connection is upgraded to an encrypted one after the SMTP handshake. On the other hand, with SSL/TLS, an ecnrypted connection is negiotiated right away before an SMTP handshake takes place. In other words, STARTTLS is "TLS inside SMTP", while SSL/TLS is "SMTP inside TLS".
See this page for more information.
Another important difference between these two schemes is that STARTTLS does not require a separate port. You can continue to use the same smtp (25) or imap (143) port. SSL/TLS on the other hand requires separate smtp (465) and imap (993) ports.
Setup
I wanted to implement a STARTTLS scheme; however, I decided to revert back to SSL/TLS due to:1. I am running Dovecot dovecot-1.0.7 on CentOS release 5.5. Unfortunately for me, I was not able to require SSL connections since the "ssl = required" configuration option is not available until v1.2+. WIthout this I could not force TLS for non-plaintext authentication.
[http://wiki.dovecot.org/SSL/DovecotConfiguration]
2. Outlook related issues described here.
SSL/TLS
Securing PostfixThe "smtpd_tls_wrappermode=yes" argument disables STARTTLS and enables SSL/TLS. It basically overrides the "smtpd_tls_security_level" flag inside /etc/postfix/main.cf. One thing to remember is that, you are not supposed to put this flag inside main.cf; it needs to be inside master.conf.
/etc/postfix/master.cf
smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yesSince we are using the smtps service, we need to punch a hole in our firewall for port 465.
/etc/postfix/main.cf
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt smtpd_tls_key_file = /etc/pki/tls/private/mail.key smtpd_tls_CAfile = /etc/pki/tls/certs/ca.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = no smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_session_cache_timeout = 3600sTesting
openssl s_client -tls1 -crlf -connect mail.domain.com:465Securing Dovecot
/etc/dovecot.conf
protocols = imaps # we need to open port 993 for this disable_plaintext_auth = yes # Allows plaintext authentication only when SSL/TLS is used first. ssl = required # v1.2+ only. Requires SSL/TLS also for non-plaintext authentication. ssl_cert_file = /etc/pki/tls/certs/mail.crt ssl_key_file = /etc/pki/tls/private/mail.keyTesting Dovecot setup:
openssl s_client -tls1 -crlf -connect mail.domain.com:993
STARTTLS
Securing Postfix/etc/postfix/master.cf
smtp inet n - n - - smtpd #submission inet n - n - - smtpdAs described previously, we can use an existing port with STARTTLS. Since we are using the usual smtp service, we need to punch a hole in our firewall for port 25. One other option is to use the submission service on port 587 to bypass ISP blocks.
/etc/postfix/main.cf
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt smtpd_tls_key_file = /etc/pki/tls/private/mail.key smtpd_tls_CAfile = /etc/pki/tls/certs/ca.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = no smtpd_tls_security_level = encrypt # This setting requires STARTTLS smtpd_tls_auth_only = yes smtpd_tls_session_cache_timeout = 3600sIf you are using a Postfix version older than v2.3, see smtpd_enforce_tls flag.
Testing
openssl s_client -starttls smtp -crlf -connect mail.domain.com:25Securing Dovecot
/etc/dovecot.conf
protocols = imap # No need for a separate port. We will stick with port 143. disable_plaintext_auth = yes # Allows plaintext authentication only when SSL/TLS is used first. ssl = required # v1.2+ only. Requires SSL/TLS also for non-plaintext authentication. ssl_cert_file = /etc/pki/tls/certs/mail.crt ssl_key_file = /etc/pki/tls/private/mail.keyTesting Dovecot setup:
openssl s_client -starttls imap -crlf -connect mail.domain.com:143
No comments:
Post a Comment