[SOLVED] A question about smtp over ssl...

trist007 · 03-19-2011, 10:59 PM

I've been doing a few experiments with smtp. I have postfix setup with auth plain. I've always wanted to see if ssl was really needed so I setup tcpdump to sniff the traffic. I sent an email on my iphone which uses my postfix smtp server. Then in the dump I could see my base64 string which decodes to usernamepassword. Ok so I decided that I really need to turn on ssl.

So I recompile postfix with TLS and put in a self signed cert. I then fire up postfix again (with smtpd_tls_auth_only=yes) and then send another email on my iphone(after i configure my phone to use ssl for smtp) while running tcpdump. I then take a look at the dump. I'm assuming it uses auth plain still. I can see the EHLO host then the greeting the my phone choosing STARTTLS command in the dump being executed. Anyhow, the base64 string cannot be found, which is great, just what I want. However, the email, including the data, is all in plaintext. I just want to make sure that I'm not doing anything wrong. So smtp over ssl only hides the authentication part, but the actual email message is sent via plaintext? Or is it because I ran tcpdump from my server on port 25 and the data gets unencrypted on that port when starttls is run? In any case I never saw the auth plain server command or the base64 string.

macemoneta · 03-19-2011, 11:43 PM

You specified only encrypt authentication. To encrypt everything, use:

Code:

smtpd_tls_security_level = encrypt
smtpd_enforce_tls = yes

See: Postfix TLS Support

Note that the message is encrypted only between the client and server. You have to separately encrypt the body if you want end-to-end encryption.

trist007 · 03-20-2011, 12:13 PM

I enabled both of those

Code:

smtpd_tls_security_level = encrypt
smtpd_enforce_tls = yes

and removed this one

Code:

smtpd_tls_auth_only = yes

I see that smtpd_enforce_tls = yes is not really necessary since it's deprecated (Postfix 2.3 or later). Anyhow, I added it in.
From what I've read these commands only accept mail if TLS is turned on. There's no mention about it encrypting the whole message unless that's the default which would make sense. Anyhow I can still see the email body in plaintext in my dump.
I running this command for the sniff

Code:

tcpdump -vv -x -X -s 1500 'port 25' > dump.log

Or is it simply because I'm sniffing on the mail server where it gets unencrypted.

At what point does the email get unencrypted?

I'm going to test it out and sniff on my gateway instead.

macemoneta · 03-20-2011, 12:36 PM

In that case, you probably want to enable debugging to see what's happening.

Code:

smtp_tls_loglevel = 2

You may need a higher level (3 or 4) to see what's happening with the message body.

trist007 · 03-20-2011, 12:51 PM

Ran the sniffer on the gateway and still I can see the DATA in plaintext. Ok I'll try that.

trist007 · 03-20-2011, 01:04 PM

Here's the log from /var/log/maillog withsmtp_tls_loglevel = 2 in the main.cf

Code:

Mar 20 12:51:59 hostname postfix/postfix-script[32714]: refreshing the Postfix mail system
Mar 20 12:51:59 hostname postfix/master[32673]: reload -- version 2.6.1, configuration /etc/postfix
Mar 20 12:51:59 hostname postfix/anvil[32694]: statistics: max connection rate 1/60s for (smtp:domain) at Mar 20 12:48:59
Mar 20 12:51:59 hostname postfix/anvil[32694]: statistics: max connection count 1 for (smtp:domain) at Mar 20 12:48:59
Mar 20 12:51:59 hostname postfix/anvil[32694]: statistics: max cache size 1 at Mar 20 12:48:59
Mar 20 12:58:59 hostname postfix/smtpd[323]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Mar 20 12:58:59 hostname postfix/smtpd[323]: connect from unknown[domain]
Mar 20 12:58:59 hostname postfix/smtpd[323]: setting up TLS connection from unknown[domain]
Mar 20 12:59:00 hostname postfix/smtpd[323]: Anonymous TLS connection established from unknown[domain]: TLSv1 with cipher AES128-SHA (128/128 bits)
Mar 20 12:59:00 hostname postfix/smtpd[323]: 5B8ABC0002: client=unknown[domain], sasl_method=PLAIN, sasl_username=user
Mar 20 12:59:00 hostname postfix/cleanup[328]: 5B8ABC0002: message-id=<47A498DA-2D24-47CA-B5A7-F00EF50276FC@domain.net>
Mar 20 12:59:00 hostname postfix/qmgr[32720]: 5B8ABC0002: from=<user@domain.net>, size=571, nrcpt=1 (queue active)
Mar 20 12:59:00 hostname postfix/smtp[329]: 5B8ABC0002: to=<thartanian@domain.com>, relay=mail.domain.net[domain]:25, delay=0.36, delays=0.1/0/0.14/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A0F22F0067)
Mar 20 12:59:00 hostname postfix/qmgr[32720]: 5B8ABC0002: removed
Mar 20 13:00:00 hostname postfix/smtpd[323]: disconnect from unknown[domain]

main.cf

Code:

smtpd_use_tls = yes
smtpd_enforce_tls = yes
smtp_tls_loglevel = 2
smtpd_tls_security_level = encrypt
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
#smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
smtpd_tls_loglevel = 1

I don't have a CA file. The SSL still works so I figured it wasn't necessary. Unless it is.

Nothing that really tells me much.

macemoneta · 03-20-2011, 01:40 PM

The quick start for TLS seems to imply that certificate setup is required.

trist007 · 03-20-2011, 01:54 PM

Ah I see why. I'm using a relayhost which does not have TLS, that's what I'm seeing in the dump. That makes sense now. I'll just setup the relay host to use tls. OK great. Thanks guys.

trist007 · 03-20-2011, 03:14 PM

One thing worth noting. In order to get my postfix server to use starttls when he talks to the relayhost you need to add this line to your main.cf.

Code:

smtp_tls_security_level = encrypt

Note the use of 'smtp' instead of 'smtpd.'