1

I am using "ssmtp" as mail client to send email to remote mail server on Ubuntu Linux. I know there are "UseTLS" and "UseSTARTTLS" options in ssmtp.conf which can make ssmtp send emails with secure. However, I don't find any option to specify the minimum TLS version so that I cannot force ssmtp to use TLSv1.2.

As we all know, TLS 1.0 is badly broken, and TLS 1.1 is damaged... Do you have any idea about how to make TLS 1.2 be used by ssmtp by default?

mkrieger1
  • 19,194
  • 5
  • 54
  • 65
Dejun
  • 11
  • 2
  • *As we all know, TLS 1.0 is badly broken,* - do we? While TLS 1.0 has it design problems it is far from broken in a way that you should stop using it immediately. Maybe if you are a target of a really wealthy organization you should worry but in this case you should more worry about using a hop-by-hop protocol like SMTP(S) which provides no end-to-end security. – Steffen Ullrich Jan 16 '17 at 07:03
  • Thank you for your suggestion. If we cannot specify the TLS version, can we specify the ciphers so that the weak ciphers will not be used? – Dejun Jan 17 '17 at 03:23

1 Answers1

0

While you might like to restrict the TLS version or ciphers for better security this part of the security does not matter at all at the current stage of TLS implementation in ssmtp. From a look at the source of version 2.64 the TLS support in ssmtp is very limited and it does not even make any attempts to validate the certificate of the peer. This means man in the middle attacks are trivial even if you could choose the best protocol version and cipher.

This means ssmtp is not recommended if you are serious about TLS. Nevertheless even with proper TLS support SMTP is not secure. This means for anything which really needs protection use end-to-end encryption like PGP or S/MIME.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thank you so much! It looks like I have to find another mail client. Thank you again! :-) – Dejun Jan 17 '17 at 08:56