tls vs ssl
in [Postfix]
|
From: "Jonathan Tripathy" on 2 Mar 2010 03:41 Here is my 2 pence (Please someone correct me if I'm wrong). STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of SSL). Different being is that with STARTTLS, the SMTP client (e.g. Thunderbird) will connect to the server unencrypted, then if the smtp server (postfix) announces "STARTTLS", Thunderbird will neogiate a key exchange then continue the rest of the connection encrypted. With "normal" TLS, the encrypted connection happens from the start, and both server and client will need keys on each end set up beforehand That's my take on it... -----Original Message----- From: owner-postfix-users(a)postfix.org on behalf of Stan Hoeppner Sent: Tue 3/2/2010 07:51 To: postfix-users(a)postfix.org Subject: Re: tls vs ssl Daniel L. Miller put forth on 3/2/2010 1:18 AM: > OK - I'm an idiot. I'll just admit that up front and get it out of the > way. > > Now that that's settled, what is the difference between "SSL" and "TLS" > in a MUA - particularly Thunderbird - in a Postfix context? > > I would have sworn I used to use Thunderbird with "SSL" specified and > connected to my Postfix servers fine. Now, I can only connect in "TLS" > mode. What did I break? It's unlikely you'd forget setting up SSL. You would have likely created a self signed server certificate and would have installed it on all clients connecting to the server, just as must be done with web browsers connecting to a secure site for the first time. You've likely been using STARTTLS only, which doesn't require a key exchange as SSL/TLS does. STARTTLS != TLS. -- Stan
From: Charles Marcus on 2 Mar 2010 12:18 On 2010-03-02 2:51 AM, Stan Hoeppner wrote: > You've likely been using STARTTLS only, which doesn't require a key exchange > as SSL/TLS does. ? You sure about that? I use only STARTTLS, and I always have to do the 'Confirm Security Exception' dance to accept the certificate the first time I send a message in Thunderbird... -- Best regards, Charles
From: Wietse Venema on 2 Mar 2010 12:52 Charles Marcus: > On 2010-03-02 2:51 AM, Stan Hoeppner wrote: > > You've likely been using STARTTLS only, which doesn't require a key exchange > > as SSL/TLS does. > > ? You sure about that? I use only STARTTLS, and I always have to do the > 'Confirm Security Exception' dance to accept the certificate the first > time I send a message in Thunderbird... Port 24 and 587: TCP handshake, SMTP handshake, client sends STARTTLS, TLS handshake, SMTP handshake, MAIL transaction, ... Port 465: TCP handshake, TLS handshake, SMTP handshake, MAIL transaction, ... Details are in RFC 3207. Wietse
From: "Daniel L. Miller" on 2 Mar 2010 14:33 Timo Sirainen wrote: >> I would have sworn I used to use Thunderbird with "SSL" specified and >> connected to my Postfix servers fine. Now, I can only connect in "TLS" >> mode. What did I break? >> > > You no longer have smtps port enabled? > excerpted from master.cf - using non-standard port numbers for internal use and testing: 192.168.0.110:125 inet n - - - - smtpd -o syslog_name=frominternet -o smtpd_proxy_filter= -o myhostname=Postfix-ASSP.amfeslan.local connect with Thunderbird to this address & port set to no encryption - works 192.168.0.110:126 inet n - - - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject connect with Thunderbird to this address & port set to TLS - works. SSL does not. 192.168.0.110:127 inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject connect with Thunderbird to this address & port set to TLS - works. SSL does not. By "SSL does not work" I mean: 1. I see a connection in the Postfix log - but nothing further happens. 2. Thunderbird works and works at sending ... and then times out with an error - "Sending of message failed". -- Daniel
From: Victor Duchovni on 2 Mar 2010 14:41 On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote: > 192.168.0.110:126 inet n - - - - smtpd > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > connect with Thunderbird to this address & port set to TLS - works. SSL > does not. Why do you expect SMTP after SSL to work on a port that supports SSL after SMTP? http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: Maildir ownership/permission flags Next: Bad Header: Non-encoded 8-bit data |