LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-19-2011, 11:59 PM   #1
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Rep: Reputation: 69
A question about smtp over ssl...


I've been doing a few experiments with smtp. I have postfix setup with auth plain. I've always wanted to see if ssl was really needed so I setup tcpdump to sniff the traffic. I sent an email on my iphone which uses my postfix smtp server. Then in the dump I could see my base64 string which decodes to usernamepassword. Ok so I decided that I really need to turn on ssl.

So I recompile postfix with TLS and put in a self signed cert. I then fire up postfix again (with smtpd_tls_auth_only=yes) and then send another email on my iphone(after i configure my phone to use ssl for smtp) while running tcpdump. I then take a look at the dump. I'm assuming it uses auth plain still. I can see the EHLO host then the greeting the my phone choosing STARTTLS command in the dump being executed. Anyhow, the base64 string cannot be found, which is great, just what I want. However, the email, including the data, is all in plaintext. I just want to make sure that I'm not doing anything wrong. So smtp over ssl only hides the authentication part, but the actual email message is sent via plaintext? Or is it because I ran tcpdump from my server on port 25 and the data gets unencrypted on that port when starttls is run? In any case I never saw the auth plain server command or the base64 string.

Last edited by trist007; 03-20-2011 at 12:25 AM.
 
Old 03-20-2011, 12:43 AM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
You specified only encrypt authentication. To encrypt everything, use:

Code:
smtpd_tls_security_level = encrypt
smtpd_enforce_tls = yes
See: Postfix TLS Support

Note that the message is encrypted only between the client and server. You have to separately encrypt the body if you want end-to-end encryption.

Last edited by macemoneta; 03-20-2011 at 12:45 AM.
 
Old 03-20-2011, 01:13 PM   #3
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
I enabled both of those
Code:
smtpd_tls_security_level = encrypt
smtpd_enforce_tls = yes
and removed this one
Code:
smtpd_tls_auth_only = yes
I see that smtpd_enforce_tls = yes is not really necessary since it's deprecated (Postfix 2.3 or later). Anyhow, I added it in.
From what I've read these commands only accept mail if TLS is turned on. There's no mention about it encrypting the whole message unless that's the default which would make sense. Anyhow I can still see the email body in plaintext in my dump.
I running this command for the sniff
Code:
tcpdump -vv -x -X -s 1500 'port 25' > dump.log
Or is it simply because I'm sniffing on the mail server where it gets unencrypted.

At what point does the email get unencrypted?

I'm going to test it out and sniff on my gateway instead.

Last edited by trist007; 03-20-2011 at 01:32 PM.
 
Old 03-20-2011, 01:36 PM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
In that case, you probably want to enable debugging to see what's happening.

Code:
smtp_tls_loglevel = 2
You may need a higher level (3 or 4) to see what's happening with the message body.

Last edited by macemoneta; 03-20-2011 at 01:37 PM.
 
Old 03-20-2011, 01:51 PM   #5
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Ran the sniffer on the gateway and still I can see the DATA in plaintext. Ok I'll try that.
 
Old 03-20-2011, 02:04 PM   #6
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Talking

Here's the log from /var/log/maillog withsmtp_tls_loglevel = 2 in the main.cf
Code:
Mar 20 12:51:59 hostname postfix/postfix-script[32714]: refreshing the Postfix mail system
Mar 20 12:51:59 hostname postfix/master[32673]: reload -- version 2.6.1, configuration /etc/postfix
Mar 20 12:51:59 hostname postfix/anvil[32694]: statistics: max connection rate 1/60s for (smtp:domain) at Mar 20 12:48:59
Mar 20 12:51:59 hostname postfix/anvil[32694]: statistics: max connection count 1 for (smtp:domain) at Mar 20 12:48:59
Mar 20 12:51:59 hostname postfix/anvil[32694]: statistics: max cache size 1 at Mar 20 12:48:59
Mar 20 12:58:59 hostname postfix/smtpd[323]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Mar 20 12:58:59 hostname postfix/smtpd[323]: connect from unknown[domain]
Mar 20 12:58:59 hostname postfix/smtpd[323]: setting up TLS connection from unknown[domain]
Mar 20 12:59:00 hostname postfix/smtpd[323]: Anonymous TLS connection established from unknown[domain]: TLSv1 with cipher AES128-SHA (128/128 bits)
Mar 20 12:59:00 hostname postfix/smtpd[323]: 5B8ABC0002: client=unknown[domain], sasl_method=PLAIN, sasl_username=user
Mar 20 12:59:00 hostname postfix/cleanup[328]: 5B8ABC0002: message-id=<47A498DA-2D24-47CA-B5A7-F00EF50276FC@domain.net>
Mar 20 12:59:00 hostname postfix/qmgr[32720]: 5B8ABC0002: from=<user@domain.net>, size=571, nrcpt=1 (queue active)
Mar 20 12:59:00 hostname postfix/smtp[329]: 5B8ABC0002: to=<thartanian@domain.com>, relay=mail.domain.net[domain]:25, delay=0.36, delays=0.1/0/0.14/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A0F22F0067)
Mar 20 12:59:00 hostname postfix/qmgr[32720]: 5B8ABC0002: removed
Mar 20 13:00:00 hostname postfix/smtpd[323]: disconnect from unknown[domain]
main.cf
Code:
smtpd_use_tls = yes
smtpd_enforce_tls = yes
smtp_tls_loglevel = 2
smtpd_tls_security_level = encrypt
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
#smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
smtpd_tls_loglevel = 1
I don't have a CA file. The SSL still works so I figured it wasn't necessary. Unless it is.

Nothing that really tells me much.

Last edited by trist007; 03-20-2011 at 03:00 PM.
 
Old 03-20-2011, 02:40 PM   #7
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
The quick start for TLS seems to imply that certificate setup is required.
 
Old 03-20-2011, 02:54 PM   #8
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Ah I see why. I'm using a relayhost which does not have TLS, that's what I'm seeing in the dump. That makes sense now. I'll just setup the relay host to use tls. OK great. Thanks guys.
 
Old 03-20-2011, 04:14 PM   #9
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
One thing worth noting. In order to get my postfix server to use starttls when he talks to the relayhost you need to add this line to your main.cf.
Code:
smtp_tls_security_level = encrypt
Note the use of 'smtp' instead of 'smtpd.'
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SMTP SSL in chrooted webroot. Kraiser10 Linux - Software 5 04-01-2010 07:44 AM
Q: SMTP redirect to exchange over SSL r0b0jerk Linux - Networking 2 10-06-2009 01:07 PM
SMTP Server with SSL auth Penn Linux - Server 1 04-06-2009 04:51 AM
qmail ssl and smtp not working together shmude Linux - Software 0 11-02-2005 08:02 PM
noob question about pop/smtp and ssl caid Linux - Security 3 02-16-2004 07:17 PM


All times are GMT -5. The time now is 08:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration