Login/Register
How do SMTP clients determine whether to use Explicit or Implicit SSL
Asked Answered
Solved sslsmtpimappop3
O

3

5

Most mail clients that support SSL/TLS only require the user to say whether or not SSL should be enabled. The user doesn't have to know anything about Explicit & Implicit SSL and the differences between them.

So, how does the mail client determine which type of SSL to use? Is it based on default port numbers? Does it just try one and then the other?

Onia answered 29/4, 2009 at 19:29 Comment(0)
P
4

A mail client must know if implicit SSL is in use when it connects, as it is responsible for initiating the SSL handshake with a ClientHello message. How it determines this is up to the client. Port numbers are a great hint, but there could also be a check box in some UI that forces it even when the standard (unprotected) port number is used.

There are IANA registered port numbers for secure mail, but some ISPs may use other ports.

  • IMAP/SSL: 993
  • POP3/SSL: 995

SMTP/SSL is often offered on port 465, but this is not registered, and is less common since support for explicit SSL is widely supported by SMTP agents.

Support for explicit SSL can be advertised by a server using a protocol-specific negotiation. For example, when a client connects to an SMTP server, and issues the EHLO command, the server will list its capabilities, which might include support for the STARTTLS command.

Pharmacognosy answered 29/4, 2009 at 19:36 Comment(1)
This answer is no longer true since RFC 8314 (january 2018) which reattributes port 465 for email submission using implicit TLS and recommends it over using explicit TLS rfc-editor.org/rfc/rfc8314Prepense
S
3

Port 465 is very common among commercial mail servers and is used very often. Most often it used for implicit SSL. When you telnet to this port you will get a timeout since you must set up the SSL connection first before communications with the mail server. Thus a timeout may be the first clue you have an implicit SSL connection. You cannot use EHLO to return results because no connection other than an SSL connection is allowed. AND NO you do not simply connect to an SMTP server running implicit SSL it will not respond and will just drop the connection. That is what it is supposed to do. Explicit SSL will allow connection first and then set up SSL. AND yes implicit SSL is used often. The drawback is that the RFC standards are not specific as to how it is implemented so different developers set it up in varying ways, even though implicit SSL is considered by some as depreciated.

Strata answered 23/3, 2014 at 22:12 Comment(0)
M
0

I believe most clients that support SMTP over SSL start out with an unencrypted connection and issue an EHLO rather than HELO. The former has extra flag responses, one of which indicates whether the server supports the STARTTLS command or not. If they do, then the client can use STARTTLS, and then use SSL from that point on.

Example:

% telnet quack.kfu.com 25
220 quack.kfu.com ESMTP ready NO UCE
EHLO client
250-quack.kfu.com Hello client [xx.xx.xx.xx] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 25000000
250-ETRN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
starttls
220 2.0.0 Ready to start TLS
Monday answered 29/4, 2009 at 19:32 Comment(5)
If I telnet to a mail server on port 465 and issue an EHLO command, I get no response back. Eventually the connection times out. I don't think issuing an EHLO is sufficient to determine whether an implicit or explicit connection is supported. Isn't it more to determine what types of authentication are supported once a connection is established?Onia
EHLO just indicates that the server supports extended SMTP. IMHO that SSL is negotiated before the SMTP conversation.Imperial
@unknown - no, SSL is not negotiated before that. You connect to an SMTP server plain, then "starttls" and engage ssl at that point.Monday
@jbutler: I've never heard before today of SMTP servers listening with SSL on port 465. If you do configure an SMTP server to work that way, then you would have to connect to that port and immediately begin negotiating SSL before sending EHLO/HELO. In that circumstance, I would expect EHLO to not report STARTTLS, since it would be redundant.Monday
Starttls is only used with explicit ssl connections. It is needed because the explicit connection is started in the clear and then the client must request a change to tls. An implicit ssl connection starts immediately with the ssl negotiation.Onia

© 2022 - 2024 — McMap. All rights reserved.