[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS smpt encryption

From: Simon Josefsson
Subject: Re: TLS smpt encryption
Date: Wed, 06 Sep 2006 11:17:02 +0200
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)

Phillip Lord <address@hidden> writes:

> I've been having problems getting tls working with SMTP. I think that
> there are failings into both the code base and the documentation for
> the code base that are making this problem much harder. 
> First, the defaults. To use TLS, you have to reconfigure things like
> the ports manually, and have to do so in multiple places.

The supported way to use TLS is NOT to use another port.

The recommended practice since 1999, and probably before that, when
RFC 2487 came out, is to use port 25 and use STARTTLS on that port.

Emacs does not support 'ssmtp' aka 'smtps' on port 465.  From what I
can recall, nobody has ever asked for that feature either, so this
doesn't seem widely deployed.

> So, for example, from the smtpmail documentation.....
> ;;(setq send-mail-function 'smtpmail-send-it) ; if you use `mail'
> ;;(setq message-send-mail-function 'smtpmail-send-it) ; if you use 
> message/Gnus
> ;;(setq smtpmail-default-smtp-server "YOUR SMTP HOST")
> ;;(setq smtpmail-local-domain "YOUR DOMAIN NAME")
> ;;(setq smtpmail-sendto-domain "YOUR DOMAIN NAME")
> ;;(setq smtpmail-debug-info t) ; only to debug problems
> ;;(setq smtpmail-auth-credentials  ; or use ~/.authinfo
> ;;      '(("YOUR SMTP HOST" 25 "username" "password")))
> ;;(setq smtpmail-starttls-credentials
> ;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key" "~/.my_smtp_tls.cert")))
> Now authentication mail often uses a different port.

Typically, no.

> So you have to change this. But this is done in
> smtpmail-smtp-service. The 25's in auth-credentials are only used to
> determine which credentials should be used.

Right, and you could have multiple credentials, for different ports.

> Confusing. I don't know what the standards are, but most mail
> readers you just click "SSL/TLS encryption" and the ports get set,
> or guessed, automatically.

Again, most programs use the same port.

> Second, the documentation. Take...
> ;;(setq smtpmail-starttls-credentials
> ;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key" "~/.my_smtp_tls.cert")))
> So, whats .my_smtp_tls.key then? Where does it come from? How do I get
> it? Can I use gnutls to generate it? I have no idea at all. Further
> investigation suggests that actually you can leave this blank, and it
> should still work. 

Did you read the Emacs SMTP Manual?  An old copy is available from:


But it is also part of Emacs.

If you don't have a X.509 certificate/key pair, you can leave those
fields empty.  You can generate them using GnuTLS, but you need the
server admin to recognize your certificate as well.  Typically you
don't need client authentication using TLS.

The documentation for the variable seem sub-optimal here, so I have
installed this change:

--- smtpmail.el 15 Feb 2006 10:22:36 +0100      1.84
+++ smtpmail.el 06 Sep 2006 11:07:47 +0200      
@@ -176,7 +176,12 @@
 (defcustom smtpmail-starttls-credentials '(("" 25 "" ""))
   "Specify STARTTLS keys and certificates for servers.
 This is a list of four-element list with `servername' (a string),
-`port' (an integer), `key' (a filename) and `certificate' (a filename)."
+`port' (an integer), `key' (a filename) and `certificate' (a
+If you do not have a certificate/key pair, leave the `key' and
+`certificate' fields as `nil'.  A key/certificate pair is only
+needed if you want to use X.509 client authenticated
   :type '(repeat (list (string  :tag "Server")
                       (integer :tag "Port")
                       (file    :tag "Key")

> Third, it would be nice if the documentation made clear that "TLS"
> appears to be the same thing as "SSL" -- at least in the context of
> SMTP servers. I was under the impression for a number of months that I
> could not use encryption for SMTP as our local server requires SSL,
> which smtpmail doesn't do. Actually, it uses TLS. Some documentation
> saying "if you are required to use SSL, this is probably what you
> want". 

SSL is an earlier version of TLS, but they are compatible.  SMTP uses
TLS, but people often incorrect call it SSL.  I modified the Emacs
SMTP Manual to mention SSL:

Index: smtpmail.texi
RCS file: /sources/emacs/emacs/man/smtpmail.texi,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -p -r1.13 -r1.14
--- smtpmail.texi       5 Feb 2006 22:41:31 -0000       1.13
+++ smtpmail.texi       6 Sep 2006 09:10:43 -0000       1.14
@@ -209,6 +209,8 @@ The following example illustrates what y
 @cindex CRAM-MD5
 @cindex LOGIN
 @cindex STARTTLS
address@hidden TLS
address@hidden SSL
 Many environments require SMTP clients to authenticate themselves
 before they are allowed to route mail via a server.  The two following
 variables contains the authentication information needed for this.
@@ -220,10 +222,10 @@ that order if the server support both.
 The second variable, @code{smtpmail-starttls-credentials}, instructs
 the SMTP library to connect to the server using STARTTLS.  This means
 the protocol exchange may be integrity protected and confidential by
-using TLS, and optionally also authentication of the client.  This
-feature uses the elisp package @file{starttls.el} (see it for more
-information on customization), which in turn require that at least one
-of the following external tools are installed:
+using TLS, also known as SSL, and optionally also authentication of
+the client.  This feature uses the elisp package @file{starttls.el}
+(see it for more information on customization), which in turn require
+that at least one of the following external tools are installed:

> Finally, it doesn't seem to work on windows. I spent three hours with
> a debugger a couple of days ago -- I figured this was the only way to
> see if I had the configuration right. It appears that starttls.el uses
> Unix specific process handling, so won't work with NTEmacs. I've been
> told that you can get this working with cygwin by calling out to
> kill.exe which works around the problem. Bit ugly! I realise that
> fixing this properly may take some time, but updating the
> documentation would be relatively quick!

I've seen it suggested that people have had success on Windows using
the starttls binary instead of gnutls-cli.  But I don't really know
what works under Windows, so I don't know how to improve things here.

> At the moment, I have access to a non TLS based stream, but this isn't
> going to last for ever. I suspect that many people are in the same
> boat.

Right.  Many people have migrated to SMTP over TLS already.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]