Join Log in
Score:9
Sauron avatar Server

Should I use SSL for a receive only SMTP server?

br flag
Sauron

I am creating an smtp server which will not need to send emails but only receive. Not being an expert, I was wondering if I should still use an SSL certificate for security. For example, if I send an e-mail message from my outlook or gmail client (which I assume will send an already protected message) to my smtp server without ssl, is a man in the middle attack possible?

1588
4 + 0
ssl
Score:13
Paul avatar Server
cn flag
Paul

Yes. SSL/TLS should be used on receiving mail. MITM is possible, though requiring DKIM authentication should prevent this from manipulating the message. A signed certificate is the best way to mitigate MITM, and they are free with Let's Encrypt and easily automated if you are using a platform that supports it.

0 + 3
Hagen von Eitzen avatar
cn flag
Hagen von Eitzen
There's more to this than just using Let's Encrypt and thinking you are fine: https://community.letsencrypt.org/t/lets-encrypt-for-smtp/66171
3
Reply
Paul avatar
cn flag
Paul
Same goes for DANE, as it requires things like a registrar that supports DNSSEC and many don't or make it so difficult that users in practice give up trying to get it enabled. DANE requires a DNS server that supports TLSA records, and many, even major ones, do not. Then sending servers have to respect DANE. A difficult to implement solution typically ends up being a not used one. Also, your comment is for some unexplained reason claiming that I made some reference to Let's Encrypt *as* a solution instead of what I actually stated which is that it makes the solution *easier* to implment.
0
Reply
jp flag
Esa Jokinen
You state that "a signed certificate is the best way to mitigate MITM", which isn't true with SMTP, Let's Encrypt or not.
0
Reply
Score:8
avatar Server
jp flag
Esa Jokinen

What comes to SMTP, TLS is not bulletproof for preventing MitM, because the strong backwards compatibility allows self-signed certificates, older TLS and SSL versions, and even fallback to unencrypted connections. Because an SMTP connection to port 25/tcp always begins in plain text and requires STARTTLS it is easy for a MitM to strip the 250-STARTTLS, making the client believe the server does not support TLS. The DNS-Based Authentication of Named Entities (DANE, RFC 6698) addresses this problem, but must be supported by both parties.

That said, TLS is still useful with SMTP, because not using it makes MitM both easier and harder to detect. E.g., from the previous Received header you should be able to see whether the connection was encrypted or not, along with the cipher suite used.

0 + 0
not2savvy avatar
ar flag
not2savvy
I don't agree, as this is all a matter of correct configuration. Of course, the server needs to be configured to *enforced TLS*, so it aborts the connection if the client does not respond with starting the TLS connection. And self-signed certificates as well as old SSL/TLS versions should just not be accepted.
0
Reply
jp flag
Esa Jokinen
@not2savvy: The correct SMTP configuration accepts unencrypted connections. Otherwise, it would not be following the specification.
0
Reply
not2savvy avatar
ar flag
not2savvy
if you refer to RFC 5321, AFAIK that doesn't say anything about `STARTTLS`, but it does say *"The SMTP protocol allows a server to formally reject a mail session while still allowing the initial connection"*. So I don't see how this would violate the specs.
0
Reply
Score:1
avatar Server
us flag
Jasen

Yes, you should, if you domain has DNSSEC you should probably deploy DANE also,

0 + 0
Score:-1
avatar Server
cn flag
Shadur

Yes.

  1. It can't hurt.
  2. Let's Encrypt is free and takes minimal time to set up, especially if you're already using it.
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.