# SMTP client with SSL support..

## masseya

Ok, so I have to admit that setting up smtp clients isn't my forte.  Here's what I need.  Perhaps someone can quide me toward a client and possibly a quick and dirty description of how to set it up.  

Purdue University has decided to no longer relay emails.  This is good because then people don't block your domain because of spam that is sent through it.  However, this means that any smtp client that interacts with Purdue's server has to be authenticated via SSL.  

Thus, I can't use something like ssmtp or nbsmtp because they don't support that.  I was thinking of using postfix because it seems to be a popular choice for a gentoo user and I know that it supports SSL.  However, I'm not really sure how to set this up and I haven't been able to find a good install doc for someone who just wants to send mail.  

The setup described in the Desktop configuration guide seems to be really straightforward, but that doesn't allow postfix to authenticate itself to the host, which is what I need.

I don't want to setup a relay server myself.  I don't really want to even have mails sent to other accounts on my computer (i.e. root..).  I just want to be able to send mail from Mutt like I used to be able to do before this whole relay ban that Purdue decided to enforce.  Any thoughts?

----------

## Xor

heh... so evoluion is not quite an option.... I would use mutt myseld, but due a strange terminal-problem (or whatever) I'm not able to do so.... 

To answer you question, I have to be sure what authenrication mechnism is in place. You can idetify yourself through user/pass (via CRAM-MD5 or whatever) doing that over TLS/SSL or handover a client-certificate to prove your identity. 

Anyhow, everything is possible with postfix  :Smile:  - and postfix is quite straight forward to configure. It's basically "key = value" to use tls you simply add smtp_use_tls = yes to your configuration (there are good sample config sections!) to add support for authentication you need to use a special lookup table (I think, never used but think saw it somewhere in the config) , you might also want to set a smart-host (your mail-relay server)

I don't know how well the gentoo-distributed postfix-configuration is, but it shouldn't take more than 30min to bring postfix up and running....

----------

## klieber

 *Tristam29 wrote:*   

> However, this means that any smtp client that interacts with Purdue's server has to be authenticated via SSL.

 

Tristam29 -- I'm a bit confused.  SSL doesn't really to client-side authentication of any sort.  It's more at the encryption layer.  Are you sure you didn't mean to say SMTP AUTH instead?

If it truly is SSL for authentication, then I'm assuming they're handing out client certificates and are using some sort of PKI infrastructure???

 *Tristam29 wrote:*   

> I don't want to setup a relay server myself.

 

OK, but that's essentially what you're doing.  Actually, I believe the more accurate term is "smarthost" which essentially accepts all email that you give to it and forwards it on to a pre-defined SMTP server for further processing.

Personally, I find Postfix fairly complex, especially for what you're trying to do.  Postfix kicks butt and is highly scalable, but so far, I can't call it easy to configure.

I use exim, which is fairly easy to configure, but YMMV.  

--kurt

----------

## masseya

 *Xor wrote:*   

> It's basically "key = value" to use tls you simply add smtp_use_tls = yes to your configuration (there are good sample config sections!) to add support for authentication you need to use a special lookup table (I think, never used but think saw it somewhere in the config) , you might also want to set a smart-host (your mail-relay server) 

 

So do you mean there's a place where I store my password for authentication in clear text in the config file??   I would like to avoid this.  Are you talking about the SSL certificates that I would have to have so that I don't have to deal with an error in SSL authentication every time?

 *klieber wrote:*   

>  *Tristam29 wrote:*   However, this means that any smtp client that interacts with Purdue's server has to be authenticated via SSL. 
> 
> Tristam29 -- I'm a bit confused.  SSL doesn't really to client-side authentication of any sort.  It's more at the encryption layer.  Are you sure you didn't mean to say SMTP AUTH instead?

 

I doubt that you're more confused than I am.   :Very Happy:   I get the feeling that my picture in my head needs revising.  I'm thinking that the SMTP client can communicate on top of several different layers and that the one I want to use is SSL, which has to be built into the client because SSL isn't a fully independant transport protocol.  Because of this I have to connect to the SSL enabled SMTP port on Purdue's server.  When I first try to connect to the port the SSL part has to verify that everyone has a happy certificate.  Once this is done the client and the server can begin going about their business.  A big part of that is SMTP AUTH (which I have read about, but don't understand fully.  This is the part that requires me to login.  So what I need is an SMTP client that has SSL built into it, which allows for easy configuration.  (HAR!  :Laughing: )   I would like to be able to enter my password manually, but I would also like to be able to do that from mutt, which I don't think is possible.  What I'm begining to think will have to happen is that I'll have to set up some kind of connection to the SSL enabled SMTP port on Purdue's server manually before sending mail and then going back to my mail reader, mutt, and sending the mail.  Is there a way to buffer this so that I can send mail to my SMTP client/relay server/thing and then it will connect, say every 5 minutes, to Purdue's SMTP server on it's own and send out all the mail I have put in the queue? 

 *klieber wrote:*   

>  *Tristam29 wrote:*   I don't want to setup a relay server myself. 
> 
> OK, but that's essentially what you're doing.  Actually, I believe the more accurate term is "smarthost" which essentially accepts all email that you give to it and forwards it on to a pre-defined SMTP server for further processing.

 

I was afraid this was what I was doing without realizing it.  So if I were to go with Exim, I would want to configure it so that the only person who can use it to send mail is a particular account on my local machine.  Is that a good idea or even possible?

If anyone reading this is thinking, "Oh, yeah I used to have a concept of mail systems similar to that until I read XYZ, which made things a lot clearer!"  Please post a link to XYZ here.   :Smile: 

----------

## klieber

 *Tristam29 wrote:*   

> I'm thinking that the SMTP client can communicate on top of several different layers and that the one I want to use is SSL, which has to be built into the client because SSL isn't a fully independant transport protocol.

 

That's just the thing, though -- SSL is a transport protocol, but it isn't an authentication protocol.  If you're using certs, that's a different story, but certs != SSL.

 *Tristan29 wrote:*   

> So if I were to go with Exim, I would want to configure it so that the only person who can use it to send mail is a particular account on my local machine.  Is that a good idea or even possible?

 

Yes, it's doable.  I'd say it's easier and just as safe to simply say "anyone who has an account on my local machine can use exim to send out mail" unless you're in a habit of distributing free shell accounts to people you don't trust.  :Smile: 

--kurt

----------

## masseya

 *klieber wrote:*   

> That's just the thing, though -- SSL is a transport protocol, but it isn't an authentication protocol.  If you're using certs, that's a different story, but certs != SSL.

 

So how does SSL establish an trusted encrypted connection without certificates?  (i.e. How can you separate certificates from SSL?)  Take web browsing as an example.  You have to verify the certificate.  This happens by the browser going and doing it for you or coming back and popping up a obfuscated error message saying that the world is going to end unless you click Cancel.

----------

## Xor

man... I'm too dump to use quoting in this piece of software....

the password for ASMTP (SMTP AUTH) is stored in cleartext... you can store it in a hashed database... but it's still more or less cleartext... 

mutt is a MUA.... it doesn't care about SMTP... not ASMTP or SSL over SMTP .... it calls the command sendmail and "drops" the mail to it.... what "sendmail" is doing with it is not mutt's problem.... 

exim is easy - that's true (more or less) for version 3.... but I saw version 4.... and all changed (that now a little bit offtopic) - it's a great MTA if you are going to do really geeky stuff.... but as long as I "just" need an "simple" MTA... I stay with postfix.... btw: v4 ist the current release AFAIK

you might give pine a shot... I *heard* that it supports SMTP... neverless, there's still netscape-mail or this currently highly unstable evolution.....

----------

## klieber

 *Tristam29 wrote:*   

> So how does SSL establish an trusted encrypted connection without certificates?

 

Actually, I may have misspoke here.  I haven't read the SSL RFC, so I'm not sure what is required by it.  However, from a technical standpoint, all SSL needs to establish an encrypted connection is two public/private key pairs -- one on each end of the connection.

What certs give you is non-repudiation.  If you establish an SSL connection to Amazon.com, certificates verify that it really is Amazon.com and not Barnesandnoble.com trying to impersonate Amazon.

--kurt

----------

## klieber

 *Xor wrote:*   

> exim is easy - that's true (more or less) for version 3.... but I saw version 4.... and all changed (that now a little bit offtopic) - it's a great MTA if you are going to do really geeky stuff.... but as long as I "just" need an "simple" MTA... I stay with postfix.... btw: v4 ist the current release AFAIK

 

 :Laughing:   Swap places with Exim and Postfix everywhere in that statement and that's what I'd say about the two MTAs.  Then again, I've got more experience with Exim and very little with postfix.  So, Tristam29 -- what I'd recommend is taking a look at the config files and user manuals for both (as well as qmail if your particularly masochistic) and figure out which one seems to make the most sense to you.  Then, jump in and learn that one.

--kurt

----------

## masseya

Here's the section on anonymous key exchange from the RFC for TLS:

 *RFC 2246 wrote:*   

> F.1.1.1. Anonymous key exchange
> 
>    Completely anonymous sessions can be established using RSA or
> 
>    Diffie-Hellman for key exchange. With anonymous RSA, the client
> ...

 

The section on certificates then says that they may contain the key as well as authentication materials.  So apparently it's quite possible to establish a TLS connection without authentication.  Looks like you were right.   :Smile: 

http://www.ietf.org/rfc/rfc2246.txt

----------

## Xor

okay... get started with this tiny exim4 config

http://marc.merlins.org/linux/exim/exim4-conf/exim4.conf.master

then tell me if you not would prefer a KISS "key = value" system.

I admit, my postconf -n is 'bout 100 lines.... but each of the is documented in a sample file  :Smile: 

but hey, as kurt said.... dive into the wonderful world of MTAs.... just do me a faivor on configure it right  :Wink: 

----------

## Teardrop

could anyone of you tls experts help me? i did the virtual mailhost how-to in the doc section. everything works fine until i put the line "use_tls_auth_only = yes" in my postfix config file. then i have an ssl error when the want to exchange the certificates. What infos do you need that some could give me a little hand?

thx a lot

cu Teardrop

----------

