3

Rather than purchasing SSL I would create a SSL certificate. Of course my SSL certificate will not be useful that browsers show "Un-trusted SSL". Can I use Self Signed SSL to my mail server to send and receive emails? By using self signed SSL do it interrupt users work saying "you are using un-trusted SSL certificate"?

Will it be useful?

And I believe that adding SSL to mail server for email exchange will change my port numbers from 25, 110, 143 to 465, 995, 993 Am I right?

Karthik Malla
  • 103

2 Answers2

2

I hate to differ, mailq, but SSL between MTAs (that is, between your mail server and other mail servers) is perfectly well-supported and well-understood. It runs happily on port 25. When you connect to a mail server offering this, it's advertised in the EHLO phase:

[madhatta@anni ~]$ telnet www.teaparty.net 25
Trying 193.219.118.100...
Connected to www.teaparty.net.
Escape character is '^]'.
220 : ESMTP you accept terms at http://www.teaparty.net/smtp.html
EHLO me
250-www.teaparty.net Hello 88-111-161-32.dynamic.dsl.as9105.com [88.111.161.32], pleased to meet you
[...]
250-STARTTLS
[...]

A fellow mail server who's willing to talk TLS can then request escalation to encrypted communication, and the rest of the SMTP conversation can then happen under cover of crypto. The signed or unsigned state of a peer's certificate shows up in my sendmail logs thus:

Sep 25 22:42:05 www sendmail[24905]: STARTTLS=server, relay=nagios.teaparty.net [82.26.102.225], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256

In this case, I'm connecting to the foreign server (or it would say STARTTLS=client) and I can't, using my certificate bundle, verify the peer's certificate (or it would say verify=YES). But it's perfectly sound crypto, and worth doing.

Other than that I agree with your (otherwise excellent) answer.

MadHatter
  • 81,580
1

SSL is only useful for connections between clients (Outlook, Thunderbird, ...) and the server. And yes it will change the ports for IMAP, POP3 and SMTP to their equivalent ports.

Using SSL between your SMTP server and other SMTP servers is not supported and specified (except to another relay host). They will still use port 25 for mail exchange (unencrypted).

Self-signed certificates will always "disturb" clients as they are not trusted. You can make them trusted by inserting the public CA key into the client software.

So if it is useful depends on what you are trying to accomplish.

mailq
  • 17,251