SSL E-mail - was Re: When do you turn off your Ubuntu boxes?

Scott Kitterman ubuntu at kitterman.com
Fri Dec 1 04:39:55 UTC 2006 

On Thursday 30 November 2006 23:24, Lorenzo Taylor wrote:
> According to Chanchao:
> # Out of interest, what do you use for the mail server? Postfix?  In
> # secure SSL mode I presume?
>
> At the moment I'm actually using exim4 with sa-exim to reject spam.  No
> encryption is necessary because I do everything on localhost.  No need
> to connect to a remote box for anything mail related.  MUA and MTA are
> all on the same box.  And as I understand it, SSL only works if both
> ends are able to use it, so I don't think it would be possible to have
> incoming mail or mail that is sent out encrypted.  Someone correct me if
> I'm wrong and I will solve that problem as well.  I didn't think there
> was much that could be done to secure mail on the way out other than
> encrypting via GPG, and that assumes the other person has a public key.
> I really didn't think there was much that could be done to secure
> anything coming in either unless I know all other servers that would be
> sending me mail were capable of SSL encryption or unless the sender
> happens to have my public GPG key and encrypts the message.  Again I
> stand to be corrected and would in fact like to be wrong about this one.
>
SSL and (peferably) TLS are useful for e-mail much as they are for web 
browsing.  They can protect content from external viewing.  When connecting 
through to a mail server with a regular mail client that uses user ID and 
password authentication, SSL/TLS is pretty mandatory to keep passwords from 
being sniffed.

You are correct that both ends need to support.  From the mail client to the 
submitting mail server, this is reasonably easy as almost all modern mail 
clients support this.  From MTA to MTA it is still unusual, but becoming less 
so.  It doesn't hurt to have it set up.  If you are delivering to a mail 
server that supports TLS, then it will be encrypted, but (unless you make it 
mandatory) things work just find unencrypted with other servers.  

This is similar to the level of protection you get if you SSH to the box and 
then do everything locally.  One warning though is if you are going to use 
SSL, do not use SSL v2, limit yourself to SSL v3 because the SSL v2 
algorithms are not very strong and are not recommended.

Scott K

More information about the ubuntu-users mailing list