Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Widespread is Secure SMTP Usage?

Posted by Cliff on from the worried-about-sniffers-on-your-email? dept.

Honest Postmaster asks: "Maybe I am a paranoid nut, or maybe I just feel like my users email is as sacred as snail mail (which we like to hope is untouched); but i have been getting a sinking feeling about all the news I have been hearing about NSA & Government agencies getting potential carte-blanch to sniff email traffic (if they didn't have such, already). I did a quick search and found RFC 2487, which seems to define secure transfer of traffic between SMTP servers using TLS/SSL. Firstly, is this truly a reasonably 'secure' solution? Secondly it seems to have actual implementations (e.g. exim), but it will only work if both client and server support it -- how widespread is its usage? is it hopeless to expect every ISP, megamail .com to get around to turning this feature on, or will sniffing just be a part of our everyday reality?"

3 of 13 comments (clear)

  1. Is PGP really secure? by dustpuppy · · Score: 5, Interesting

    There has been a lot of talk that PGP is the only unbreakable encryption method out there, but doesn't one find it interesting that the US government would hound Zimmerman mercilessly for years and then all of a sudden stop.

    Now why would they suddenly stop harrassing him ... maybe because the RSA has finally found a way to break the PGP encryption? It's standard practice that once you know how to break someone's code, you don't ever let them know which guarantees that you can keep on reading all their transmissions.

    I only ever felt secure *while* the US Government kept hounding Zimmerman. Now that they have stopped, I would assume that no email can be secured.

  2. SSL/TLS is possible, but not an optimal solution by bruckie · · Score: 4, Interesting

    I did quite a bit of research about this very thing as I was setting up my company's mail server. Here's what I found out:

    • SSL support is very widespread in both SMTP servers and clients. Postfix, Sendmail, and Exim support it on the server end. Outlook Express, Outlook, and Mozilla support it on the client side. These lists are by no means exhaustive.
    • Many mail servers in use don't have encryption support turned on, thereby forcing you (who wants to use encryption) to either send your message in plaintext, not send it, or encrypt it with something like PGP.
    • SSL/TLS is not a good e-mail security solution even if both servers (sending and receiving) support and use it. Why? SSL (secure sockets layer) and TLS (transport level security) only encrypt the message while it's in transit, between the servers. However, SMTP is a store and forward system, and SSL/TLS only protects the "forward" part of it. The messages usually sit unencrypted on disk for anyone to view. Any intermediate person with access to a mail server can read a message, even if it was sent using SSL/TLS.
    • Although SMTP SSL/TLS isn't optimal for complete security, it is still useful. Transit security is better than no security at all.

    I decided to implement a Postfix server at my company, and enabling SSL/TLS isn't hard at all. You just patch the source, compile, and tell Postfix where to find its certificates.

    Why did I choose to use SMTP encryption when it has all of the drawbacks listed above? Two reasons:

    1. Some security is better than none.
    2. It protects passwords used to allow relaying (for legitimate company users).

    You can set Postfix to:

    • Only talk to servers that have SSL enabled (thereby prevent a large part of the internet from sending you mail)
    • Use it when it's available but send even if it's not
    • Never use encryption.

    (Each of these setting is independently "settable" for sending mail and receiving mail.)

    In short, use PGP or similar if you need real security. SSL/TLS is only useful as an added protection.

    --Bruce
    --
    There are 10 kinds of people in the world: those who understand binary, and those who don't.
  3. TLS in the Real World by Anonymous Coward · · Score: 1, Interesting

    From what I've seen quite a few messages that
    I've gotten from people are TLS encrypted,

    For example my incoming mail from my sourceforge list serves:

    Received: from unknown (HELO usw-sf-list1.sourceforge.net) (216.136.171.252)
    by xxxxx.mysite.net with DES-CBC3-SHA encrypted SMTP; 2 Oct 2001 18:07:
    37 -0000
    but what I find interesting is from a well known
    site like hushmail who say everything about encryption and stuff:

    Received: from mailserver1.hushmail.com (mailserver1.hushmail.com [64.40.111.27]
    )
    by smtp4.hushmail.com (Postfix) with ESMTP id ABCFA321B

    no encryption :( and they don't support regular mutt mime-type encryption.

    -Myron