[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SMTP client has now experimental SSL/TLS code ...



Hello.

> Date sent:      Fri, 3 Dec 1999 02:59:16 +0200
> From:           Matti Aarnio <mea@nic.funet.fi>
> Subject:        SMTP client has now experimental SSL/TLS code ...

> Following is *only* for brave experimenters, but feedback
> is most welcome :)

First attempts are done. No effect - means, no attempts to establish 
TLS connections found, just normal unencrypted operation. And no any
error diagnostics in normal scheduler or smtp logs, so "-S" key and 
parameter seems to be accepted. And ignored.

Surely, STARTTLS is present in remote reply. And whole openssl, key 
and cert stuff is working successfully with smtpserver part.

Being reading the smtp.c code now...


> 
> I am of course referring to CVS accessible source right now,
> instructions at  http://www.zmailer.org/anoncvs.html
> 
> Ok, I did a few sets of changes over a last few days:
>  - Autoconfigured the  Sfio  library to fit ZMailer environment
>  - Implemented ways to have simultaneously FILE * and Sfio_t *
>    type streams in the source module
>  - Changed  smtp  TA interal structures so that the outbound SMTP
>    stream is Sfio_t object, and anchored there our own discipline
>    processors - e.g. instead of  write(2),  there is something more
>    complicated, which *can* be  SSL_write(3).
>  - Recycled/updated  all OpenSSL using stuff (as much as possible)
>    from PostFix SSL/TLS patches by Lutz Jaenicke
> 
> I haven't tested the TLS mode client at all yet.   And to be exact,
> current server TLS session cache code very least doesn't leave any
> objects into the cache - as if it doesn't quite work..
> But it *does* receive email over SSL:
> 
> Received: from mea.line.inet.fi ([IPv6:::ffff:194.252.71.66]:42500 "EHLO
>         sonera.fi" ident: "IDENT-NONSENSE" smtp-auth: "mea" TLS-CIPHER:
>         "EXP-RC4-MD5 keybits 40/128 version TLSv1/SSLv3") by mea.tmt.tele.fi
>         with ESMTP id <S92348AbPLCAeJ>; Fri, 3 Dec 1999 02:34:09 +0200   
> 
> The SMTP Client code seems to work just fine as long as it isn't parametrized
> to use TLS mode, thus limited scope tests are possible while system runs
> normal processing.
> 
> If you decide to try the CLIENT code, you will need:
> - proto/smtp-tls.conf
>     Which you shall place somewhere convenient, and fill in all
>     proper things - although possibly you don't need much anything
>     to take an advantage of SSL encrypted transport
>     (This one I really haven't tried yet, I don't quite know how
>      those things should be set up... Do refer to PostFix things
>      mentioned at  doc/guides/openssl )
> - Add "-S $MAILSHARE/smtp-tls.conf" to those smtp commands which you
>   want to send stuff out using SSL.
> - Target servers enabled to receive email via STARTTLS mode.
> 
> You may even decide that it would be nice to have a  "smtptls"  channel
> to which you can route domains at  $MAILVAR/db/routes, and then run a
> special   smtp-tls-mandatory.conf  setup file for the  smtp TA.
> ( That has uncommented "demand-tls-mode" command )
> 
> Without "demand-tls-mode" an SSL-enabled SMTP TA should, if remote shows
> "STARTTLS" capability, open encrypted session.  With that demand-flag,
> if the remote does not show "STARTTLS" or TLS starting fails, delivery
> will hard-fail with security mode unavailability (5.7.4).
> 
> -- 
> /Matti Aarnio   <mea@nic.funet.fi>
>