1

Topic: Secure Connection SSL / STARTTLS

======== Required information ====
- iRedMail version: 0.9.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx): Apache
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====

I started a new topic in my documentation, its about secure connection:

http://doc.samplezone.ch/iredmail/versi … unication/


My questions to that topic:

- is plain text for IMAP / POP3 disbaled by default? how?
- I see port 993 is listening but I can't connect with thunderbird, why? where is this controlled? same with 995?
- is there a fine grade control in iRedMail pro? per user, per domain, global? restrict to ssl or allow both?

Thanks for your help

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Secure Connection SSL / STARTTLS

Peter wrote:

- is plain text for IMAP / POP3 disbaled by default? how?

Yes. Reference: http://www.iredmail.org/docs/allow.inse … tions.html

Peter wrote:

- I see port 993 is listening but I can't connect with thunderbird, why? where is this controlled? same with 995?

993/995 are enabled by default. if they don't work for you, show us how you configure Thunderbird. We have tutorial here:
http://www.iredmail.org/docs/configure.thunderbird.html

Peter wrote:

- is there a fine grade control in iRedMail pro? per user, per domain, global? restrict to ssl or allow both?

Yes - for per-user control. No per-domain or global control. You can find this option within iRedAdmin-Pro, in user profile page, under tab 'Advanced'. Screenshot attached for your reference.

Dovecot treats SSL and TLS as same thing (i mean, both are secure, not mean same protocol), both are logged as 'secured' (with additional info to remind you it's SSL or TLS).

If you want to know more technical details:

*) For LDAP user, it's controlled by attribute/value pair: enabledService=imapsecured, enabledService=pop3secured
*) For SQL user, it's controlled by SQL column `enableimapsecured=1` and `enablepop3secured=1` (1 -> enable, 0 -> disable).

http://www.iredmail.org/images/iredadmin/user_profile_advanced.png

3

Re: Secure Connection SSL / STARTTLS

Peter wrote:

- is plain text for IMAP / POP3 disbaled by default? how?

ZhangHuangbin wrote:

Yes. Reference: http://www.iredmail.org/docs/allow.inse … tions.html

Thanks I was not fast enough. Did find that part and updated the documentation already.

Peter wrote:

- I see port 993 is listening but I can't connect with thunderbird, why? where is this controlled? same with 995?

ZhangHuangbin wrote:

993/995 are enabled by default. if they don't work for you, show us how you configure Thunderbird. We have tutorial here:
http://www.iredmail.org/docs/configure.thunderbird.html

Again I was to slow, it's working in the meantime. I need to investigate what happend. Thunderbirds autodedection feature is a pain in the neck. Maybe fail2ban or certificate was responsible for problems.

ZhangHuangbin wrote:

Yes - for per-user control. No per-domain or global control. You can find this option within iRedAdmin-Pro, in user profile page, under tab 'Advanced'.

Brilliant, thanks for all the details and screenshot :-)



How about SSL Connection for SMTPAuth? I have a loadbalancer which accept only plain text or SSL connection for sending monitoring emails. I guess this is bad practice SMTPAuth with SSL connection?

4

Re: Secure Connection SSL / STARTTLS

About SSL connection for SMTPAuth I found your document:

http://www.iredmail.org/docs/enable.smtps.html


Do MTA's talk to each other over SSL connection if available? Or do they talk SMTP with STARTTLS if available?

5

Re: Secure Connection SSL / STARTTLS

Peter wrote:

Do MTA's talk to each other over SSL connection if available? Or do they talk SMTP with STARTTLS if available?

It depends on configuration but most MTA's will try port 25 and if configured to use TLS try STARTTLS and fall-back to plain text. Nobody these days use SMTPS since it is officially tagged deprecated by IEEE.

6

Re: Secure Connection SSL / STARTTLS

Peter wrote:

How about SSL Connection for SMTPAuth? I have a loadbalancer which accept only plain text or SSL connection for sending monitoring emails. I guess this is bad practice SMTPAuth with SSL connection?

About secure smtp connection, with default iRedMail configurations, it allows secure connection through port 25 and 587, both are forced to use TLS (STARTTLS). Port 25 accepts insecure plain connection to talk to MTAs, but end users are forced to use TLS to submit messages. (technical detail: forced by Postfix setting smtpd_tls_auth_only='yes')

As mentioned in our tutorial and @mir's reply, SMTPS through port 465 (SSL) is deprecated, you'd better use port 587 with submission (TLS).

Peter wrote:

Do MTA's talk to each other over SSL connection if available? Or do they talk SMTP with STARTTLS if available?

In an old iRedMail release, we enabled Opportunistic TLS support with Postfix setting 'smtp_tls_security_level=may', but it turns out it causes issues like cannot receive email from some mail servers (reported by users in this forum), so we turn it off by default.

7

Re: Secure Connection SSL / STARTTLS

Thanks Mir and Zhang for your answers!

ZhangHuangbin wrote:

About secure smtp connection, with default iRedMail configurations, it allows secure connection through port 25 and 587, both are forced to use TLS (STARTTLS). Port 25 accepts insecure plain connection to talk to MTAs, but end users are forced to use TLS to submit messages. (technical detail: forced by Postfix setting smtpd_tls_auth_only='yes')

Default setting for ESMTPA (SMTPAuth) looks to me like this:

- port 25: accepts AUTH for Plain text and STARTTLS
- port 587: accepts AUTH ONLY for STARTTLS

Can you confirm this?

My old device which is not able to encrypt with STARTLS did successfully submit the email on port 25.

Idea
How about allow "plain text" and STARTLS on port 587 and disable Auth on port 25? It's the same like POP3 or IMAP they use the same port for "plain text" (disbaled by default) and STARTLS. And if we talk about postscreen (future iremail release) port 25 can't be used anymore for submission.

ZhangHuangbin wrote:

In an old iRedMail release, we enabled Opportunistic TLS support with Postfix setting 'smtp_tls_security_level=may', but it turns out it causes issues like cannot receive email from some mail servers (reported by users in this forum), so we turn it off by default.

No STARTLS for SMTP on port 25 and SSL/TLS Socket connection on port 465 is depreciated, correct? Secure communication between MTA's is still a dream because of incompatibility?

8

Re: Secure Connection SSL / STARTTLS

Peter wrote:

Default setting for ESMTPA (SMTPAuth) looks to me like this:

- port 25: accepts AUTH for Plain text and STARTTLS
- port 587: accepts AUTH ONLY for STARTTLS

Can you confirm this?

With default iRedMail setting, both port 25 and 587 accept AUTH only for STARTTLS, no plain text.

Peter wrote:

My old device which is not able to encrypt with STARTLS did successfully submit the email on port 25.

*) Which version of iRedMail are you running? (check file /etc/iredmail-release).
*) Do you have 'smtpd_tls_auth_only=yes' in /etc/postfix/main.cf? this is default setting in iRedMail.

Peter wrote:

How about allow "plain text" and STARTLS on port 587 and disable Auth on port 25? ... And if we talk about postscreen (future iremail release) port 25 can't be used anymore for submission.

Bad idea to enable plain text (on any port which may send/receive sensitive data). Why not force to be secure (with STARTTLS) by default?

If you really need a port which allows plain text, add a new entry in /etc/postfix/master.cf with a non-standard port number and use it internally.

And you're right that we are going to enable postscreen on port 25 in the future, so port 25 will be used for server-to-server communication and not used for sending email by your user.

Peter wrote:

No STARTLS for SMTP on port 25 and SSL/TLS Socket connection on port 465 is depreciated, correct?

Again, with current iRedMail release (v0.9.2), STARTTLS on port 25 is supported and enabled by default.
Port 465 - SMTP over SSL (not TLS or STARTTLS) - is deprecated and not enabled in iRedMail by default.

Peter wrote:

Secure communication between MTA's is still a dream because of incompatibility?

You can enable this, but you may face some incompatibility issue due to some MTAs (not yours) don't support it, or not properly/fully support it.

9

Re: Secure Connection SSL / STARTTLS

ZhangHuangbin wrote:

With default iRedMail setting, both port 25 and 587 accept AUTH only for STARTTLS, no plain text.

*) Which version of iRedMail are you running? (check file /etc/iredmail-release).
*) Do you have 'smtpd_tls_auth_only=yes' in /etc/postfix/main.cf? this is default setting in iRedMail.


Sorry my fault. Default setting is smtpd_tls_auth_only=yes, I might have changed that while testing:

Default setting for ESMTPA (SMTPAuth) in iRedMail 0.9.2:
- port 25 and 587: accepts AUTH ONLY for STARTTLS

ZhangHuangbin wrote:

If you really need a port which allows plain text, add a new entry in /etc/postfix/master.cf with a non-standard port number and use it internally.

Good idea, I will do that...

ZhangHuangbin wrote:
Peter wrote:

No STARTLS for SMTP on port 25 and SSL/TLS Socket connection on port 465 is depreciated, correct?

Again, with current iRedMail release (v0.9.2), STARTTLS on port 25 is supported and enabled by default.

I'm confused. Are we talking about the same? I'm talking about SMTP (mta) and not ESMTPA (submission). For SMTP (mta) there is no STARTTLS after you "enabled Opportunistic TLS support with Postfix with reported errors"?

10

Re: Secure Connection SSL / STARTTLS

Peter wrote:

I'm talking about SMTP (mta) and not ESMTPA (submission). For SMTP (mta) there is no STARTTLS after you "enabled Opportunistic TLS support with Postfix with reported errors"?

I'm confused. sad not quite sure what your question is.

With opportunistic TLS support enabled, sender server (not your server) is supposed to establish secure connection first, if failed, go plain connection. The problem is:

1) not all MTAs support this. This is fine, because it goes plain connection.
2) not all MTAs are well implemented. This may cause incompatibility issue and cause smtp session failed -- mail was not delivered to your server (recipient).

By the way, a self-signed SSL certificate may cause issue in this case too, and maybe most incompatibility issues were caused by self-signed ssl cert. We have user reported that no issue at all with a bought ssl cert. So i'm not very sure whether it's caused by MTA incompatibility or self-signed ssl cert.

Obviously, it's strongly recommended to buy a ssl cert to avoid potential SSL/TLS related issues. iRedMail cannot ship a bought ssl certificate for users, and i clearly know many users use default self-signed cert, so it's not a good idea for iRedMail to enable opportunistic tls support with self-signed cert by default.

11

Re: Secure Connection SSL / STARTTLS

This is clear (port 25 for MTA STARTTLS or Plain Text):

mir wrote:

It depends on configuration but most MTA's will try port 25 and if configured to use TLS try STARTTLS and fall-back to plain text.

After that you wrote:

ZhangHuangbin wrote:

In an old iRedMail release, we enabled Opportunistic TLS support with Postfix setting 'smtp_tls_security_level=may', but it turns out it causes issues like cannot receive email from some mail servers (reported by users in this forum), so we turn it off by default.

Did you mean by "turn it off" port 25 for MTA only Plain text (that's what I understand)

And today you wrote:

ZhangHuangbin wrote:

Again, with current iRedMail release (v0.9.2), STARTTLS on port 25 is supported and enabled by default.

Did you mean port 25 for MTA STARTTLS or Plain text (so you turned it on again?)

12

Re: Secure Connection SSL / STARTTLS

UPDATE: i checked iRedMail source code, opportunistic TLS support is enabled by default. Sorry about my mistake in last reply.

I'm now confused what questions you're asking, sorry about my poor English and not clearly understand your questions.
How about this, you list your questions again, without mention other's reply? I will try to reply with clear explanation.

13 (edited by Peter 2015-06-19 01:43:58)

Re: Secure Connection SSL / STARTTLS

No problem I guess my english is not better either...

Maybe there are two important things to get confused:

terminology
we mean different things but use the same word or we use different words but mean the same thing. see http://doc.samplezone.ch/iredmail/versi … unication/

usage
it's not the same if a user sends an email from his program or two servers communicate with each other. Both can be configured differently (port, encryption enable/disable)


I'll investigate a little more before my questions...

14

Re: Secure Connection SSL / STARTTLS

OK, feel free to post here.

15

Re: Secure Connection SSL / STARTTLS

One question for your document here: http://doc.samplezone.ch/iredmail/versi … unication/

You mention this:

- terminology: STARTTLS
- tcp socket: insecure, Plain Text Socket
- data: secure, SSL/TLS Channel

What does 'insecure tcp socket' mean?

Also, i don't know why you call it "ESMTPA(uth)" protocol, it should be "submission". It's also defined in /etc/services.

16

Re: Secure Connection SSL / STARTTLS

ZhangHuangbin wrote:

What does 'insecure tcp socket' mean?

Not encrypted, plain text.

My assumption: encryption/decryption for a SSL/TLS Socket Connection happens on another level (socket level -> tcp data is encrypted) than STARTTLS secured data flow (application level -> data is encrypted). But maybe that's wrong and in both cases encryption/decryption is done exactly on the same level.


ZhangHuangbin wrote:

Also, i don't know why you call it "ESMTPA(uth)" protocol, it should be "submission". It's also defined in /etc/services.

I do have ESMTPA from Wikipedia https://en.wikipedia.org/wiki/Mail_subm … entication. Before that I used SMTP Auth. In both cases you see instantly the protocol is based on SMTP, I like that.

When it comes to configuration it's maybe better to use submission as you suggest. I'll change that.