Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

tls vs ssl

2 views
Skip to first unread message

Daniel L. Miller

unread,
Mar 2, 2010, 2:18:30 AM3/2/10
to
OK - I'm an idiot. I'll just admit that up front and get it out of the way.

Now that that's settled, what is the difference between "SSL" and "TLS"
in a MUA - particularly Thunderbird - in a Postfix context?

I would have sworn I used to use Thunderbird with "SSL" specified and
connected to my Postfix servers fine. Now, I can only connect in "TLS"
mode. What did I break?

--
Daniel

Stan Hoeppner

unread,
Mar 2, 2010, 2:51:59 AM3/2/10
to
Daniel L. Miller put forth on 3/2/2010 1:18 AM:

It's unlikely you'd forget setting up SSL. You would have likely created a
self signed server certificate and would have installed it on all clients
connecting to the server, just as must be done with web browsers connecting
to a secure site for the first time.

You've likely been using STARTTLS only, which doesn't require a key exchange
as SSL/TLS does. STARTTLS != TLS.

--
Stan

Bill Landry

unread,
Mar 2, 2010, 3:01:01 AM3/2/10
to

Huh, what? STARTTLS == Start TLS

http://en.wikipedia.org/wiki/STARTTLS

Bill

Stan Hoeppner

unread,
Mar 2, 2010, 3:16:35 AM3/2/10
to
Bill Landry put forth on 3/2/2010 2:01 AM:

He's talking about Thunderbird Bill. In that context, IIRC, one can check
the STARTTLS option box, and if the outgoing SMTP server doesn't support
STARTTLS, Thunderbird fails gracefully without error and falls back to plain
text mode. If, on the other hand, one checks SSL/TLS, you don't get the
graceful failure, but a hard error. This is the context of my STARTTLS !=
TLS comment. It's been a very long time since I messed with this, probably
pre 2.0, so my memory could be a little foggy. I would hope the Mozilla
team would have changed this behavior in recent revs of T-Bird.

--
Stan

Timo Sirainen

unread,
Mar 2, 2010, 3:25:46 AM3/2/10
to
On 2.3.2010, at 9.18, Daniel L. Miller wrote:

> OK - I'm an idiot. I'll just admit that up front and get it out of the way.
>
> Now that that's settled, what is the difference between "SSL" and "TLS"
> in a MUA - particularly Thunderbird - in a Postfix context?

http://wiki.dovecot.org/SSL tries to explain their difference.

> I would have sworn I used to use Thunderbird with "SSL" specified and
> connected to my Postfix servers fine. Now, I can only connect in "TLS"
> mode. What did I break?

You no longer have smtps port enabled?

Jonathan Tripathy

unread,
Mar 2, 2010, 3:41:19 AM3/2/10
to

Here is my 2 pence (Please someone correct me if I'm wrong).

STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of SSL). Different being is that with STARTTLS, the SMTP client (e.g. Thunderbird) will connect to the server unencrypted, then if the smtp server (postfix) announces "STARTTLS", Thunderbird will neogiate a key exchange then continue the rest of the connection encrypted.

With "normal" TLS, the encrypted connection happens from the start, and both server and client will need keys on each end set up beforehand

That's my take on it...




-----Original Message-----
From: owner-pos...@postfix.org on behalf of Stan Hoeppner
Sent: Tue 3/2/2010 07:51
To: postfi...@postfix.org
Subject: Re: tls vs ssl

Daniel L. Miller put forth on 3/2/2010 1:18 AM:

> OK - I'm an idiot.  I'll just admit that up front and get it out of the
> way.
>
> Now that that's settled, what is the difference between "SSL" and "TLS"
> in a MUA - particularly Thunderbird - in a Postfix context?
>

> I would have sworn I used to use Thunderbird with "SSL" specified and
> connected to my Postfix servers fine.  Now, I can only connect in "TLS"
> mode.  What did I break?

It's unlikely you'd forget setting up SSL.  You would have likely created a
self signed server certificate and would have installed it on all clients
connecting to the server, just as must be done with web browsers connecting
to a secure site for the first time.

You've likely been using STARTTLS only, which doesn't require a key exchange
as SSL/TLS does.  STARTTLS != TLS.

--
Stan

Charles Marcus

unread,
Mar 2, 2010, 12:18:04 PM3/2/10
to
On 2010-03-02 2:51 AM, Stan Hoeppner wrote:
> You've likely been using STARTTLS only, which doesn't require a key exchange
> as SSL/TLS does.

? You sure about that? I use only STARTTLS, and I always have to do the
'Confirm Security Exception' dance to accept the certificate the first
time I send a message in Thunderbird...

--

Best regards,

Charles

Wietse Venema

unread,
Mar 2, 2010, 12:52:41 PM3/2/10
to
Charles Marcus:

Port 24 and 587:

TCP handshake,
SMTP handshake, client sends STARTTLS,
TLS handshake, SMTP handshake, MAIL transaction, ...

Port 465:

TCP handshake,
TLS handshake, SMTP handshake, MAIL transaction, ...

Details are in RFC 3207.

Wietse

Daniel L. Miller

unread,
Mar 2, 2010, 2:33:48 PM3/2/10
to
Timo Sirainen wrote:
>> I would have sworn I used to use Thunderbird with "SSL" specified and
>> connected to my Postfix servers fine. Now, I can only connect in "TLS"
>> mode. What did I break?
>>
>
> You no longer have smtps port enabled?
>
excerpted from master.cf - using non-standard port numbers for internal
use and testing:

192.168.0.110:125 inet n - - - - smtpd
-o syslog_name=frominternet
-o smtpd_proxy_filter=
-o myhostname=Postfix-ASSP.amfeslan.local

connect with Thunderbird to this address & port set to no encryption - works

192.168.0.110:126 inet n - - - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

connect with Thunderbird to this address & port set to TLS - works. SSL
does not.

192.168.0.110:127 inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

connect with Thunderbird to this address & port set to TLS - works. SSL
does not.

By "SSL does not work" I mean:
1. I see a connection in the Postfix log - but nothing further happens.
2. Thunderbird works and works at sending ... and then times out with
an error - "Sending of message failed".

--
Daniel

Victor Duchovni

unread,
Mar 2, 2010, 2:41:08 PM3/2/10
to
On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:

> 192.168.0.110:126 inet n - - - - smtpd
> -o smtpd_tls_security_level=may
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> connect with Thunderbird to this address & port set to TLS - works. SSL
> does not.

Why do you expect SMTP after SSL to work on a port that supports SSL
after SMTP?

http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

Daniel L. Miller

unread,
Mar 2, 2010, 3:30:21 PM3/2/10
to
Victor Duchovni wrote:
> On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
>
>
>> 192.168.0.110:126 inet n - - - - smtpd
>> -o smtpd_tls_security_level=may
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>
>> connect with Thunderbird to this address & port set to TLS - works. SSL
>> does not.
>>
>
> Why do you expect SMTP after SSL to work on a port that supports SSL
> after SMTP?
>
> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
>
Ok - inferring from that, I tried:
192.168.0.110:128 inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

Now connecting from Thunderbird SSL works - TLS does not. Just
confirming - is this expected and proper behaviour?

--
Daniel

Victor Duchovni

unread,
Mar 2, 2010, 3:42:12 PM3/2/10
to
On Tue, Mar 02, 2010 at 12:30:21PM -0800, Daniel L. Miller wrote:

> Ok - inferring from that, I tried:
> 192.168.0.110:128 inet n - - - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> Now connecting from Thunderbird SSL works - TLS does not. Just confirming
> - is this expected and proper behaviour?

Yes, of course. SSL after SMTP won't work with a service that runs SMTP
after SSL. The "SMTP inside SSL" service and "SSL inside SMTP" services
are not inter-operable and cannot be deployed on the same port.

The "SMTP over SSL" service (wrappermode=yes) is a legacy non-standard
service and should be phased out once all clients support "SSL over SMTP"
(aka STARTTLS).

Noel Jones

unread,
Mar 2, 2010, 4:12:57 PM3/2/10
to
On 3/2/2010 2:30 PM, Daniel L. Miller wrote:
> Victor Duchovni wrote:
>> On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
>>
>>> 192.168.0.110:126 inet n - - - - smtpd
>>> -o smtpd_tls_security_level=may
>>> -o smtpd_sasl_auth_enable=yes
>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>
>>> connect with Thunderbird to this address & port set to TLS - works.
>>> SSL does not.
>>
>> Why do you expect SMTP after SSL to work on a port that supports SSL
>> after SMTP?
>>
>> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
> Ok - inferring from that, I tried:
> 192.168.0.110:128 inet n - - - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> Now connecting from Thunderbird SSL works - TLS does not. Just
> confirming - is this expected and proper behaviour?
>

Yes, that's expected. SSL wrappermode is incompatible with
standard SMTP or STARTTLS.

Typically wrappermode is specified only on port 465, which is
commonly referred to as the smtps port.

-- Noel Jones

0 new messages