Location : Cleveland, OH
First, what is SMTP TLS?
[It is an] extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet. This gives SMTP agents the ability to protect some or all of their communications from eavesdroppers and attackers . . . In many cases, [SMTP] communication goes through one or more router that is not controlled or trusted by either entity. Such an untrusted router might allow a third party to monitor or alter the communications between the server and client.
Further, there is often a desire for two SMTP agents to be able to authenticate each others' identities. For example, a secure SMTP server might only allow communications from other SMTP agents it knows, or it might act differently for messages received from an agent it knows than from one it doesn't know.
TLS [TLS], more commonly known as SSL, is a popular mechanism for enhancing TCP communications with privacy and authentication. TLS is in wide use with the HTTP protocol, and is also being used for adding security to many other common protocols that run over TCP.
~from RFC 2487.
I think that the RFC makes it clear, but if not: TLS provides secure electronic communications between two SMTP servers over the public internet. Another explanation comes from the Domino Administrator Help file:
SMTP sessions conducted over a standard TCP/IP channel are vulnerable to eavesdropping because the unencoded transmission can be easily intercepted. To protect SMTP communications, servers can use transport-layer security (TLS), more commonly known as SSL encryption, to provide privacy and authentication.
Configuring TLS on a Domino server can be challenging, but Lotus has a draft TechNote on the process.
I brought this subject up because the draft TechNote isn't as comprehensive as another reference document at your disposal. I am referring to another "Show-n-Tell Thursday"article that I have posted, "Setting up Domino SMTP TLS."
Of course, another option would be to enable it on your anti-virus/anti-spam appliance, if applicable.
If you think that ALL of your outbound SMTP traffic will be using TLS, you will be mistaken. Again, from the Domino Administrator Help file:
If the receiving server did not advertise support for STARTTLS in response to the Domino server's EHLO command, the sending Domino server continues with an unencrypted SMTP TCP/IP session.
For inbound SMTP traffic:
You can configure Domino to support the STARTTLS command for inbound SMTP transactions. When a Domino SMTP server is set to use negotiated SSL for inbound sessions, the server advertises support for STARTTLS in response to EHLO commands the TCP/IP port receives from connecting hosts. A connecting host can then issue the STARTTLS command to request an encrypted session.
If Domino is configured to require STARTTLS for SMTP sessions over TCP/IP and a connecting host cannot meet this demand, no mail is sent over the connection.
I would give some serious thought to requiring inbound SMTP to use STARTTLS for all connections. It has the potential to deny mail from some (most?) SMTP servers.
Link: How to Configure Domino for Secure SMTP Sessions Using STARTTLS (April 2005)
Link: DRAFT TechNote: Enabling TLS/SSL for SMTP
Technorati tag: SnTT Show-n-Tell Thursday
[It is an] extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet. This gives SMTP agents the ability to protect some or all of their communications from eavesdroppers and attackers . . . In many cases, [SMTP] communication goes through one or more router that is not controlled or trusted by either entity. Such an untrusted router might allow a third party to monitor or alter the communications between the server and client.
Further, there is often a desire for two SMTP agents to be able to authenticate each others' identities. For example, a secure SMTP server might only allow communications from other SMTP agents it knows, or it might act differently for messages received from an agent it knows than from one it doesn't know.
TLS [TLS], more commonly known as SSL, is a popular mechanism for enhancing TCP communications with privacy and authentication. TLS is in wide use with the HTTP protocol, and is also being used for adding security to many other common protocols that run over TCP.
~from RFC 2487.
I think that the RFC makes it clear, but if not: TLS provides secure electronic communications between two SMTP servers over the public internet. Another explanation comes from the Domino Administrator Help file:
SMTP sessions conducted over a standard TCP/IP channel are vulnerable to eavesdropping because the unencoded transmission can be easily intercepted. To protect SMTP communications, servers can use transport-layer security (TLS), more commonly known as SSL encryption, to provide privacy and authentication.
Configuring TLS on a Domino server can be challenging, but Lotus has a draft TechNote on the process.
I brought this subject up because the draft TechNote isn't as comprehensive as another reference document at your disposal. I am referring to another "Show-n-Tell Thursday"article that I have posted, "Setting up Domino SMTP TLS."
Of course, another option would be to enable it on your anti-virus/anti-spam appliance, if applicable.
If you think that ALL of your outbound SMTP traffic will be using TLS, you will be mistaken. Again, from the Domino Administrator Help file:
If the receiving server did not advertise support for STARTTLS in response to the Domino server's EHLO command, the sending Domino server continues with an unencrypted SMTP TCP/IP session.
For inbound SMTP traffic:
You can configure Domino to support the STARTTLS command for inbound SMTP transactions. When a Domino SMTP server is set to use negotiated SSL for inbound sessions, the server advertises support for STARTTLS in response to EHLO commands the TCP/IP port receives from connecting hosts. A connecting host can then issue the STARTTLS command to request an encrypted session.
If Domino is configured to require STARTTLS for SMTP sessions over TCP/IP and a connecting host cannot meet this demand, no mail is sent over the connection.
I would give some serious thought to requiring inbound SMTP to use STARTTLS for all connections. It has the potential to deny mail from some (most?) SMTP servers.
Link: How to Configure Domino for Secure SMTP Sessions Using STARTTLS (April 2005)
Link: DRAFT TechNote: Enabling TLS/SSL for SMTP
Technorati tag: SnTT Show-n-Tell Thursday
Powered By : Domino
BlogSphere V1.3.1
Join The WebLog Revolution at BlogSphere.net