Tuesday, May 3, 2011

How do SMTP clients determine whether to use Explicit or Implicit SSL

Most mail clients that support SSL/TLS only require the user to say whether or not SSL should be enabled. The user doesn't have to know anything about Explicit & Implicit SSL and the differences between them.

So, how does the mail client determine which type of SSL to use? Is it based on default port numbers? Does it just try one and then the other?

From stackoverflow

  • I believe most clients that support SMTP over SSL start out with an unencrypted connection and issue an EHLO rather than HELO. The former has extra flag responses, one of which indicates whether the server supports the STARTTLS command or not. If they do, then the client can use STARTTLS, and then use SSL from that point on.

    Example:

    % telnet quack.kfu.com 25
220 quack.kfu.com ESMTP ready NO UCE
EHLO client
250-quack.kfu.com Hello client [xx.xx.xx.xx] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 25000000
250-ETRN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
starttls
220 2.0.0 Ready to start TLS
    SharePoint Newbie : EHLO just indicates that the server supports extended SMTP. IMHO that SSL is negotiated before the SMTP conversation.
    nsayer : @unknown - no, SSL is not negotiated before that. You connect to an SMTP server plain, then "starttls" and engage ssl at that point.
    nsayer : @jbutler: I've never heard before today of SMTP servers listening with SSL on port 465. If you do configure an SMTP server to work that way, then you would have to connect to that port and immediately begin negotiating SSL before sending EHLO/HELO. In that circumstance, I would expect EHLO to not report STARTTLS, since it would be redundant.

  • A mail client must know if implicit SSL is in use when it connects, as it is responsible for initiating the SSL handshake with a ClientHello message. How it determines this is up to the client. Port numbers are a great hint, but there could also be a check box in some UI that forces it even when the standard (unprotected) port number is used.

    There are IANA registered port numbers for secure mail, but some ISPs may use other ports.

    • IMAP/SSL: 993
    • POP3/SSL: 995

    SMTP/SSL is often offered on port 465, but this is not registered, and is less common since support for explicit SSL is widely supported by SMTP agents.

    Support for explicit SSL can be advertised by a server using a protocol-specific negotiation. For example, when a client connects to an SMTP server, and issues the EHLO command, the server will list its capabilities, which might include support for the STARTTLS command.

Posted by Mu Cat at 9:17 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)