Koozali.org: home of the SME Server

emailserver should use ssl by default

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
emailserver should use ssl by default
« on: March 10, 2014, 10:11:58 PM »
Hi,

I know this topic has been raised before, but I can't help it after seeing Snowden on data-encryption (dutch)
http://www.nu.nl/tech/3722695/snowden-wil-techbedrijven-data-beter-versleutelen.html

His claim is: data encrpytion does help a lot and should be applied if possible.

I therefore strongly feel that the email server on SME server should speak TLS/SSL by default when sending and receiving email, effectively encrypting the email transport layer.

I know that talking TLS in this way does not protect us from man in the middle attacks, because you have to accept self-signed certificates (or email will become unreliable). But it does protect us from simple smtp sniffing and it does make it harder for the bad guys (NSA).

If all emailservers use TLS by default this will hamper mass-surveilance quite a bit. And as soon as a good way comes along to deal with the man in the middle problem we are ready for it.

I do realize it would be a lot of work since probably qmail won't work that way and no I am not wealthy to buy it. Just security aware.


So again my call to make SME server use TLS by default.

Sincerely, Hans-Cees


nl.linkedin.com/in/hanscees/

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: emailserver should use ssl by default
« Reply #1 on: March 10, 2014, 11:25:01 PM »
hanscees

Requests like this are best raised as a New Feature Request (NFR) bug in bugzilla.
That way the developers get to see them.

My only (less than fully understanding the technicalities) comment is, that your suggestion appears to be asking that all mail servers use TLS/SSL by default when sending and receiving email, so therefore it is not only SME server that needs to change.

How do you propose that all mail servers in the world be changed ?
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
Re: emailserver should use ssl by default
« Reply #2 on: March 11, 2014, 08:19:31 PM »
Hi Janet,

many email servers (MTA's) on the internet already work this way, thereby enhacing the overal security on the web. Even Microsoft exchange can do this.
My suggestion is simply that SME joins the movement for privacy.


Hans-Cees



hanscees

Requests like this are best raised as a New Feature Request (NFR) bug in bugzilla.
That way the developers get to see them.

My only (less than fully understanding the technicalities) comment is, that your suggestion appears to be asking that all mail servers use TLS/SSL by default when sending and receiving email, so therefore it is not only SME server that needs to change.

How do you propose that all mail servers in the world be changed ?
nl.linkedin.com/in/hanscees/

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: emailserver should use ssl by default
« Reply #3 on: March 12, 2014, 04:40:33 AM »
hanscees

Did you raise a bug, what is the bug number ?
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline wellsi

  • *
  • 475
  • +0/-0
    • http://www.wellsi.com
Re: emailserver should use ssl by default
« Reply #4 on: March 24, 2014, 05:06:46 AM »
Hi Janet,

many email servers (MTA's) on the internet already work this way, thereby enhacing the overal security on the web. Even Microsoft exchange can do this.
My suggestion is simply that SME joins the movement for privacy.


Hans-Cees

Raise a bug as a feature request so it can be discussed and changes made where needed.
............

Offline raem

  • *
  • 3,972
  • +4/-0
Re: emailserver should use ssl by default
« Reply #5 on: March 24, 2014, 05:31:45 AM »
...

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: emailserver should use ssl by default
« Reply #6 on: March 24, 2014, 04:09:50 PM »
By default the SME server advertises TLS for mail reception (qpsmtpd) so half the job is done - we cannot force the sender to send via this channel though. On the sending side (qmail), the SME server does not try to use TLS.

Best guess would be to apply': http://inoa.net/qmail-tls/qmail-1.03-tls-20021228-renato.patch

The certificate is already in place..

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: emailserver should use ssl by default
« Reply #7 on: April 08, 2019, 05:31:18 AM »
for those interested, some follow up here: https://forums.contribs.org/index.php/topic,53919.0.html
we have implemented a patch to add tls support.