tags:

views:

595

answers:

2

Most mail clients that support SSL/TLS only require the user to say whether or not SSL should be enabled. The user doesn't have to know anything about Explicit & Implicit SSL and the differences between them.

So, how does the mail client determine which type of SSL to use? Is it based on default port numbers? Does it just try one and then the other?

A: 

I believe most clients that support SMTP over SSL start out with an unencrypted connection and issue an EHLO rather than HELO. The former has extra flag responses, one of which indicates whether the server supports the STARTTLS command or not. If they do, then the client can use STARTTLS, and then use SSL from that point on.

Example:

% telnet quack.kfu.com 25
220 quack.kfu.com ESMTP ready NO UCE
EHLO client
250-quack.kfu.com Hello client [xx.xx.xx.xx] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 25000000
250-ETRN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
starttls
220 2.0.0 Ready to start TLS
nsayer
If I telnet to a mail server on port 465 and issue an EHLO command, I get no response back. Eventually the connection times out. I don't think issuing an EHLO is sufficient to determine whether an implicit or explicit connection is supported. Isn't it more to determine what types of authentication are supported once a connection is established?
EHLO just indicates that the server supports extended SMTP.IMHO that SSL is negotiated before the SMTP conversation.
SharePoint Newbie
@unknown - no, SSL is not negotiated before that. You connect to an SMTP server plain, then "starttls" and engage ssl at that point.
nsayer
@jbutler: I've never heard before today of SMTP servers listening with SSL on port 465. If you do configure an SMTP server to work that way, then you would have to connect to that port and immediately begin negotiating SSL before sending EHLO/HELO. In that circumstance, I would expect EHLO to not report STARTTLS, since it would be redundant.
nsayer
Starttls is only used with explicit ssl connections. It is needed because the explicit connection is started in the clear and then the client must request a change to tls. An implicit ssl connection starts immediately with the ssl negotiation.
+1  A: 

A mail client must know if implicit SSL is in use when it connects, as it is responsible for initiating the SSL handshake with a ClientHello message. How it determines this is up to the client. Port numbers are a great hint, but there could also be a check box in some UI that forces it even when the standard (unprotected) port number is used.

There are IANA registered port numbers for secure mail, but some ISPs may use other ports.

  • IMAP/SSL: 993
  • POP3/SSL: 995

SMTP/SSL is often offered on port 465, but this is not registered, and is less common since support for explicit SSL is widely supported by SMTP agents.

Support for explicit SSL can be advertised by a server using a protocol-specific negotiation. For example, when a client connects to an SMTP server, and issues the EHLO command, the server will list its capabilities, which might include support for the STARTTLS command.

erickson