0

As far as I understood, both encrypt the connection. However, SSL/TLS "forces" the mail client to encrypt the channel from the beginning. Now let's say I telnet mail.server 25 and, after the ehlo, I am presented with STARTTLS as an authentication option that the server allows me (the mail client) to use. If I choose STARTTLS does it mean that I can authenticate myself (mail client) against the server (using my digital certificate)? why and how?

I am doing as follows but I don't understand where does the client authentication part comes in:

telnet some.mail.server 25 ehlo some.mail.server ... 250-STARTTLS ... STARTTLS mail from: guy rcpt to: otherGuy data someting . quit

Shouldn't I be sending the client certificate to the server? I tried this using openssl s_client -starttls smtp which actually provides a -cert and -key options to specify the certificate and private key.

So, in fact, the only disadvantage of SSL/TLS compared to STARTTLS is that since the connection is immediately encrypted, there is no way for the client to send its certificate on the same port. Only the server can send its certificate. Correct? A lot of confusion in my head... Please clarify this for me.

Improve this question
3
  • SSL/TLS is a complicated cryptographic protocol with most of the data in binary; there is no way you will be able to do your end manually using the telnet program which is only designed to handle text plus a few "terminal" controls that don't exist in SSL/TLS (nor SMTP). You need a program, of which s_client is one option. You can connect to a SMTPS server (which yes does start SSL/TLS immediately on connection) by using s_client without -starttls but with the SMTPS port conventionally 465. ... Commented Nov 13, 2014 at 21:12
  • ... In either case (STARTTLS or SMTPS) the SSL/TLS handshake does include sending and proving the client cert, but as about step 6 in a sequence of steps. Commented Nov 13, 2014 at 21:14
  • Ok. So I can't use telnet. Then what about those mail clients that only allow the use of TLS or SSL (separately)? In those cases can I still perform the SMTP authentication (i.e., send the client certificate)? Commented Nov 13, 2014 at 21:50

1 Answer 1

Reset to default
2

Both direct TLS mode and TLS upgrade using STARTTLS can use client certificates. The only difference between these modes is that with STARTTLS you start with a plain connection and later upgrade if the server announces support for STARTTLS. A man in the middle could strip this announcement (similar to sslstrip) and thus prevent the upgrade to TLS. This is actually used in practice, see https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks.

Unfortunately MX records, which are used to announce which servers are responsible for the mail transfer, can only announce hosts and no ports and in this case the default port 25 will be used with the plain SMTP protocol. Thus you can only get TLS by using the STARTTLS command.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

MX records tend to be used between MTAs, whereas TLS/STARTTLS usage is quite limited between MTAs (it's more useful from client to MSA). A good e-mail client shouldn't let itself downgrade: if you've ticket "use STARTTLS", it should try to use it and fail if it's not available. This issue used to exist in Thunderbird but was fixed, thankfully.
@Bruno: You refer to a two year old answer. Today (since Snowden) STARTTLS is way more used between MTA, see the statistics from Facebook from May 2014: "We found that 76% of unique MX hostnames that receive our emails support STARTTLS...".
Sure, sorry, it's certainly not an authoritative answer since it's mine (and downvoted) ;-). Interesting stats from FB, unfortunately, since TLS usage can never really be guaranteed all the way from one user to another, it's only of limited value, especially considering the issues surrounding certificate management (an MTA with an untrusted cert takes the risk of not receiving some of these e-mails: that's a big deal when running such a service). Unless MTAs have a list of MTAs with which they'll only use TLS and refuse to downgrade, and have a way to trust their certs, it's not so useful.
From my experience there are lots of MTAs out there which support STARTTLS but lots of them have only a self-signed certificate. Also, in bavaria/germany they are trying to enforce usage of STARTTLS, see heise.de/security/meldung/… (in german).
Yes, that's indeed part of the problem. On the one hand, MTAs (as clients) willing to accept an unknown self-signed cert are effectively open to MITM attacks (which people in a position to be in between MTAs would certainly be able to perform, in which case using TLS at all becomes almost irrelevant). One the other hand, if they're too strict (especially with other servers they don't already know), many e-mails won't get to their destinations. TLS is good for direct end-to-end comm, not so much when there are hops.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.