Score:9

Should I use SSL for a receive only SMTP server?

br flag

I am creating an smtp server which will not need to send emails but only receive. Not being an expert, I was wondering if I should still use an SSL certificate for security. For example, if I send an e-mail message from my outlook or gmail client (which I assume will send an already protected message) to my smtp server without ssl, is a man in the middle attack possible?

Score:13
cn flag

Yes. SSL/TLS should be used on receiving mail. MITM is possible, though requiring DKIM authentication should prevent this from manipulating the message. A signed certificate is the best way to mitigate MITM, and they are free with Let's Encrypt and easily automated if you are using a platform that supports it.

Hagen von Eitzen avatar
cn flag
There's more to this than just using Let's Encrypt and thinking you are fine: https://community.letsencrypt.org/t/lets-encrypt-for-smtp/66171
Paul avatar
cn flag
Same goes for DANE, as it requires things like a registrar that supports DNSSEC and many don't or make it so difficult that users in practice give up trying to get it enabled. DANE requires a DNS server that supports TLSA records, and many, even major ones, do not. Then sending servers have to respect DANE. A difficult to implement solution typically ends up being a not used one. Also, your comment is for some unexplained reason claiming that I made some reference to Let's Encrypt *as* a solution instead of what I actually stated which is that it makes the solution *easier* to implment.
jp flag
You state that "a signed certificate is the best way to mitigate MITM", which isn't true with SMTP, Let's Encrypt or not.
Score:8
jp flag

What comes to SMTP, TLS is not bulletproof for preventing MitM, because the strong backwards compatibility allows self-signed certificates, older TLS and SSL versions, and even fallback to unencrypted connections. Because an SMTP connection to port 25/tcp always begins in plain text and requires STARTTLS it is easy for a MitM to strip the 250-STARTTLS, making the client believe the server does not support TLS. The DNS-Based Authentication of Named Entities (DANE, RFC 6698) addresses this problem, but must be supported by both parties.

That said, TLS is still useful with SMTP, because not using it makes MitM both easier and harder to detect. E.g., from the previous Received header you should be able to see whether the connection was encrypted or not, along with the cipher suite used.

not2savvy avatar
ar flag
I don't agree, as this is all a matter of correct configuration. Of course, the server needs to be configured to *enforced TLS*, so it aborts the connection if the client does not respond with starting the TLS connection. And self-signed certificates as well as old SSL/TLS versions should just not be accepted.
jp flag
@not2savvy: The correct SMTP configuration accepts unencrypted connections. Otherwise, it would not be following the specification.
not2savvy avatar
ar flag
if you refer to RFC 5321, AFAIK that doesn't say anything about `STARTTLS`, but it does say *"The SMTP protocol allows a server to formally reject a mail session while still allowing the initial connection"*. So I don't see how this would violate the specs.
Score:1
us flag

Yes, you should, if you domain has DNSSEC you should probably deploy DANE also,

Score:-1
cn flag

Yes.

  1. It can't hurt.
  2. Let's Encrypt is free and takes minimal time to set up, especially if you're already using it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.