Securing SMTP sessions using the STARTTLS extension

Share

Just setup this on a customer today. Befor this setup you need to install a certificate on your server.

SMTP sessions conducted over a standard TCP/IP channel are vulnerable to eavesdropping because the unencoded transmission can be easily intercepted. To protect SMTP communications, servers can use transport-layer security (TLS), more commonly known as SSL encryption, to provide privacy and authentication.

Some servers support SSL for SMTP communications by sending and receiving SMTP traffic through the SSL port (port 465 by default) only. However, because this requires that both the sending and receiving servers support SMTP over SSL, this solution isn’t always practical.

To provide SSL security for SMTP transfers over TCP/IP, Domino┬« supports the use of negotiated SSL. In a negotiated SSL scheme, the sending and receiving hosts each use the SMTP STARTTLS extension, defined in RFC 2487, to signal their readiness to negotiate an SSL connection. The receiving server displays the STARTTLS keyword in response to the sending server’s EHLO command. The sending server issues the STARTTLS command to request the creation of a secure connection. After the initial TLS handshake completes successfully, the two parties proceed to set up an SSL channel between them. Both the sending and receiving server must possess SSL certificates.

Supporting STARTTLS for outbound SMTP sessions

A Domino server configured to use negotiated SSL for outbound mail connects to the receiving server’s SMTP TCP/IP port (port 25 by default). If the initial SMTP response from the receiving server indicates that it supports the STARTTLS extension, Domino issues the STARTTLS command to request the use of SSL to encrypt the rest of the session.

If the receiving server did not advertise support for STARTTLS in response to the Domino server’s EHLO command, the sending Domino server continues with an unencrypted SMTP TCP/IP session.

To enable outbound STARTTLS support, set the SMTP outbound TCP/IP port status to: Negotiated SSL.