[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SMTP client has now experimental SSL/TLS code ...

To: zmailer@nic.funet.fi
Subject: SMTP client has now experimental SSL/TLS code ...
From: Matti Aarnio <mea@nic.funet.fi>
Date: Fri, 3 Dec 1999 02:59:16 +0200

Following is *only* for brave experimenters, but feedback
is most welcome :)

I am of course referring to CVS accessible source right now,
instructions at  http://www.zmailer.org/anoncvs.html

Ok, I did a few sets of changes over a last few days:
 - Autoconfigured the  Sfio  library to fit ZMailer environment
 - Implemented ways to have simultaneously FILE * and Sfio_t *
   type streams in the source module
 - Changed  smtp  TA interal structures so that the outbound SMTP
   stream is Sfio_t object, and anchored there our own discipline
   processors - e.g. instead of  write(2),  there is something more
   complicated, which *can* be  SSL_write(3).
 - Recycled/updated  all OpenSSL using stuff (as much as possible)
   from PostFix SSL/TLS patches by Lutz Jaenicke

I haven't tested the TLS mode client at all yet.   And to be exact,
current server TLS session cache code very least doesn't leave any
objects into the cache - as if it doesn't quite work..
But it *does* receive email over SSL:

Received: from mea.line.inet.fi ([IPv6:::ffff:194.252.71.66]:42500 "EHLO
        sonera.fi" ident: "IDENT-NONSENSE" smtp-auth: "mea" TLS-CIPHER:
        "EXP-RC4-MD5 keybits 40/128 version TLSv1/SSLv3") by mea.tmt.tele.fi
        with ESMTP id <S92348AbPLCAeJ>; Fri, 3 Dec 1999 02:34:09 +0200   

The SMTP Client code seems to work just fine as long as it isn't parametrized
to use TLS mode, thus limited scope tests are possible while system runs
normal processing.

If you decide to try the CLIENT code, you will need:
- proto/smtp-tls.conf
	Which you shall place somewhere convenient, and fill in all
	proper things - although possibly you don't need much anything
	to take an advantage of SSL encrypted transport
	(This one I really haven't tried yet, I don't quite know how
	 those things should be set up... Do refer to PostFix things
	 mentioned at  doc/guides/openssl )
- Add "-S $MAILSHARE/smtp-tls.conf" to those smtp commands which you
  want to send stuff out using SSL.
- Target servers enabled to receive email via STARTTLS mode.

You may even decide that it would be nice to have a  "smtptls"  channel
to which you can route domains at  $MAILVAR/db/routes, and then run a
special   smtp-tls-mandatory.conf  setup file for the  smtp TA.
( That has uncommented "demand-tls-mode" command )

Without "demand-tls-mode" an SSL-enabled SMTP TA should, if remote shows
"STARTTLS" capability, open encrypted session.  With that demand-flag,
if the remote does not show "STARTTLS" or TLS starting fails, delivery
will hard-fail with security mode unavailability (5.7.4).

-- 
/Matti Aarnio	<mea@nic.funet.fi>

Prev by Date: Re: Miraculous problem, possibly BAD!
Next by Date: Re: restricted relaying
Prev by thread: Re: Miraculous problem, possibly BAD!
Next by thread: Re: SMTP client has now experimental SSL/TLS code ...
Index(es):
- Date
- Thread