-1

A client of the company i work for asked if the email we provided them along with their domain will be SSL / TLS encrypted. We use qmail. What should I check to tell the client for sure that their e-mail communications are encrypted?

alfista16
  • 3
  • 2
  • Does it require SSL? Did you look up the settings already? –  Oct 08 '12 at 10:25
  • I think that this is my problem. I don't know exaclty which settings to check. I typed this command openssl s_client -connect remote.host:25 -starttls smtp i found here http://www.madboa.com/geek/openssl/#cs-smtp just to see if our mail server supports tls. Judgong by the result i think it does. –  Oct 08 '12 at 10:28
  • sorry if posted on wrong place, i found a similar topic, asked it there, and was removed –  Oct 08 '12 at 10:32
  • @alfista16, what you did was asking a question in an answer box here on SO. You're meant to ask question as questions (which is what you've just done), but they're also meant to be on-topic for the site. Your question is typically more on-topic on ServerFault. You should be able to click on 'flag' and ask for a moderator to migrate it. – Bruno Oct 08 '12 at 10:42

1 Answers1

1

There are essentially two ways of using SSL/TLS for e-mail (SMTP, POP3, IMAP):

  • implicit SSL/TLS, where the SSL/TLS connection is established first. This require a different port for each protocol: SMTPS, POP3S, IMAPS.
  • explicit SSL/TLS, where a command is used to switch: STARTTLS.

Both should offer the same level of security, provided that they're configured correctly on both sides. The user would have to configure their client accordingly. As a service provider, you could consider providing both.

I don't know qmail very well, but it looks like it requires a patch, at least for STARTTLS support.

You can check whether either of them are enabled using openssl s_client -connect host:port, and (for the STARTTLS variants) use -starttls with the correct port (see openssl s_client -help).

You could also provide implicit SSL/TLS support by using an external tool like stunnel to be the SSL/TLS server (which would then make a localhost connection to the plain mail servers).

Bruno
  • 4,099
  • 1
  • 21
  • 37