On 2013-07-12 08:42, Gilles Chehade wrote: > On Thu, Jul 11, 2013 at 07:28:19PM -0300, Hugo Osvaldo Barrera wrote: > > > > > > * TLS perfect forward secrecy with ecdhe > > > > I'm slightly ignorant on this topic, so let me ask to be sure. > > Do we need to *do* anything for PFS to work, (like use a specific type > > of key?), or should it work out-of-the-box with any TLS key type? > > > > You don't need to do anything on the OpenSMTPD side except build and run > the code on a machine that has a recent OpenSSL with support for ECDH. > > You can check that it works by doing: > > $ openssl s_client -host yourmailhost -port 25 -starttls smtp > > and searching for the line: > > "New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384" > ^^^^^ > > Now, all you need is a client that will negotiate that. > To verify, simply send yourself a mail and check the headers: > > Received: from desktop.poolp.org (89-156-140-4.rev.numericable.fr > [89.156.140.4]); > by poolp.org (OpenSMTPD) with ESMTPSA id ebf56aec; > vvvvv > TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 > verify=NO; > ^^^^^ > for <[email protected]>; > Fri, 12 Jul 2013 08:37:50 +0200 (CEST) > Message-ID: <[email protected]> > Date: Fri, 12 Jul 2013 08:37:50 +0200 > From: Gilles Chehade <[email protected]> > User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:17.0) Gecko/20130628 > Thunderbird/17.0.7 > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this email because you are subscribed to mailing list: > [email protected] > To unsubscribe, send mail with subject: > [[email protected]] unregister
Hmmm... It's odd, because it looks like smtpd isn't using TLS when
relaying my local email.
Let me explain a bit.
I run smtpd locally, and mutt sends through it. In turn, smtpd relays
to the outside world:
listen on lo
accept from local for any relay
My email server listen as follow (I'm ommiting listen lo0 and a couple
of other irrelevant bits):
listen on egress port 25 tls hostname
"mx1.ubertech.com.ar"
listen on egress port 465 smtps hostname
"smtp.ubertech.com.ar" # Obsoleted by RFC3207
listen on egress port 587 tls-require auth <usrs> hostname
"smtp.ubertech.com.ar"
When I send an email using this path, no TLS seems to be involved:
Received: from hyperion.ubertech.com.ar (hyperion.ubertech.com.ar
[190.210.108.249]);
by mx1.ubertech.com.ar (OpenSMTPD) with ESMTP id 45260da2;
for <[email protected]>;
Fri, 12 Jul 2013 17:09:22 +0000 (GMT)
Received: from hyperion.ubertech.com.ar (localhost.localdomain [127.0.0.1]);
by hyperion.ubertech.com.ar (OpenSMTPD) with ESMTP id 5d66bf9a;
for <[email protected]>;
Fri, 12 Jul 2013 17:09:24 +0000 (UTC)
I understand that the first part (mutt->smtpd) doesn't run TLS; because
my local instance doesn't listen with TLS, but shouldn't the email be
relayed using TLS (local smtpd->remote smtpd)?
Emails from EXTERNAL hosts seem to be using TLS, and, from the looks of
the logs, my local smtpd isn't trying to use STARTTLS at any given moment.
Is this a bug? Shouldn't smtpd always try to use TLS on outgoing email?
--
Hugo Osvaldo Barrera
pgpwUVqui3Eor.pgp
Description: PGP signature
