SSL E-mail - was Re: When do you turn off your Ubuntu boxes?

On Thursday 30 November 2006 23:24, Lorenzo Taylor wrote:
According to Chanchao:
# Out of interest, what do you use for the mail server? Postfix? In
# secure SSL mode I presume?

At the moment I'm actually using exim4 with sa-exim to reject spam. No
encryption is necessary because I do everything on localhost. No need
to connect to a remote box for anything mail related. MUA and MTA are
all on the same box. And as I understand it, SSL only works if both
ends are able to use it, so I don't think it would be possible to have
incoming mail or mail that is sent out encrypted. Someone correct me if
I'm wrong and I will solve that problem as well. I didn't think there
was much that could be done to secure mail on the way out other than
encrypting via GPG, and that assumes the other person has a public key.
I really didn't think there was much that could be done to secure
anything coming in either unless I know all other servers that would be
sending me mail were capable of SSL encryption or unless the sender
happens to have my public GPG key and encrypts the message. Again I
stand to be corrected and would in fact like to be wrong about this one.

SSL and (peferably) TLS are useful for e-mail much as they are for web
browsing. They can protect content from external viewing. When connecting
through to a mail server with a regular mail client that uses user ID and
password authentication, SSL/TLS is pretty mandatory to keep passwords from
being sniffed.

You are correct that both ends need to support. From the mail client to the
submitting mail server, this is reasonably easy as almost all modern mail
clients support this. From MTA to MTA it is still unusual, but becoming less
so. It doesn't hurt to have it set up. If you are delivering to a mail
server that supports TLS, then it will be encrypted, but (unless you make it
mandatory) things work just find unencrypted with other servers.

This is similar to the level of protection you get if you SSH to the box and
then do everything locally. One warning though is if you are going to use
SSL, do not use SSL v2, limit yourself to SSL v3 because the SSL v2
algorithms are not very strong and are not recommended.

Scott K

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: firewalls that can ssl ftp?
    ... Secure Transfers ... Bruce Schneier's Blowfish encryption for data transfers. ... Secure SSL based Web Administration Portal ... Works with other FTP Clients/Servers ...
    (Security-Basics)
  • Re: When do you turn off your Ubuntu boxes?
    ... what do you use for the mail server? ... encryption is necessary because I do everything on localhost. ... SSL only works if both ... was much that could be done to secure mail on the way out other than ...
    (Ubuntu)
  • Re: Are AuthTickets Secure?
    ... Use SSL for all serious secure sites. ... the encryption of the cookie primarily serves to make it ... "How to Help Make Forms Authentication Secure ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: SSL & Basic Authentication
    ... Well, in relative terms, using SSL to encrypt the transport of data is ... "more" secure than no encryption. ... encryption is far from the whole story of the "security process". ...
    (microsoft.public.inetserver.iis.security)
  • Re: ssl security
    ... source and destination based on keyed encryption. ... If you want to secure the data past that point, ... > i have all the SSL stuff sorted out from that side of things it's fine. ... > credit card info should be e-mailed to my in encrypted form. ...
    (microsoft.public.security)