Fix descriptions of smtps vs smtp+tls in smtpd.conf.5

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Fix descriptions of smtps vs smtp+tls in smtpd.conf.5

trondd-2
Unless I'm confused, it seems the description of the smarthosts smtps and
smtp+tls are revered in the smtpd.conf man page.

My log seemed to back this up.  When using smtp+tls, which the man page said
uses STARTTLS but seems to actually use TLS which my ISP does not:

Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connecting address=smtp+tls://68.87.20.6:465 host=omta-ch2.sys.comcast.net
Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connected
Oct 21 21:43:59 ember smtpd[41596]: ca9dba5e7f80e6ca mta error reason=Connection closed unexpectedly


And with smtps, which the man page said uses TLS, logs show STARTTLS:

Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connecting address=smtps://68.87.20.6:465 host=omta-ch2.sys.comcast.net
Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connected
Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
Oct 21 22:02:06 ember smtpd[66745]: smtp-out: Server certificate verification succeeded on session a9193b70dbc40df0


A diff to swap the descriptions and reorder to group STARTLS and TLS smarthosts
together.

Tim.


Index: smtpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.206
diff -u -p -r1.206 smtpd.conf.5
--- smtpd.conf.5 8 Oct 2018 06:10:17 -0000 1.206
+++ smtpd.conf.5 22 Oct 2018 23:52:25 -0000
@@ -244,14 +244,14 @@ The following protocols are available:
 .It smtp
 Normal SMTP session with opportunistic STARTTLS
 (the default).
-.It smtp+tls
+.It smtps
 Normal SMTP session with mandatory STARTTLS.
+.It smtp+tls
+SMTP session with forced TLS on connection.
 .It smtp+notls
 Plain text SMTP session without TLS.
 .It lmtp
 LMTP session.
-.It smtps
-SMTP session with forced TLS on connection.
 .El
 .Pp
 The

Reply | Threaded
Open this post in threaded view
|

Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5

Gilles Chehade-7
On Mon, Oct 22, 2018 at 08:37:25PM -0400, trondd wrote:
> Unless I'm confused, it seems the description of the smarthosts smtps and
> smtp+tls are revered in the smtpd.conf man page.
>

You are confused ;-)


> My log seemed to back this up.  When using smtp+tls, which the man page said
> uses STARTTLS but seems to actually use TLS which my ISP does not:
>
> Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connecting address=smtp+tls://68.87.20.6:465 host=omta-ch2.sys.comcast.net
> Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connected
> Oct 21 21:43:59 ember smtpd[41596]: ca9dba5e7f80e6ca mta error reason=Connection closed unexpectedly
>

You are mistaking smtps and smtp+tls:

In an smtps session, the TLS negotation takes place during the connection so
client and server are already in a secure channel when the SMTP session gets
started.

In a smtp+tls session, the TLS negotiation takes place after the session has
started in plaintext through the use of the STARTTLS SMTP extension.

In your example here, you are using smtp+tls on a host that expects smtps so
the TLS negotation can't play out and you're kicked out.


> And with smtps, which the man page said uses TLS, logs show STARTTLS:
>
> Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connecting address=smtps://68.87.20.6:465 host=omta-ch2.sys.comcast.net
> Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connected
> Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
> Oct 21 22:02:06 ember smtpd[66745]: smtp-out: Server certificate verification succeeded on session a9193b70dbc40df0
>

TLS and STARTTLS are essentially the same as far as you're concerned.

smtpd will _always_ display a 'starttls' log line when the TLS channel starts,
disregarding if TLS was started at connect time (smtps) or within the protocol
(smtp+tls, or even smtp since it does opportunistic tls).

The only issue here is that you attempted to connect in plaintext then upgrade
a session on a host that didn't speak plaintext and expected sessions to speak
TLS from the start.

--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5

Raf Czlonka-2
On Thu, Oct 25, 2018 at 07:11:47AM BST, Gilles Chehade wrote:
>
> smtpd will _always_ display a 'starttls' log line when the TLS channel starts,
> disregarding if TLS was started at connect time (smtps) or within the protocol
> (smtp+tls, or even smtp since it does opportunistic tls).
>

I guess this is the confusing bit - seeing 'starttls' in the log
file and thinking 'STARTTLS', i.e. the "TLS upgrade".

R.

Reply | Threaded
Open this post in threaded view
|

Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5

Gilles Chehade-7
On Thu, Oct 25, 2018 at 07:24:33AM +0100, Raf Czlonka wrote:

> On Thu, Oct 25, 2018 at 07:11:47AM BST, Gilles Chehade wrote:
> >
> > smtpd will _always_ display a 'starttls' log line when the TLS channel starts,
> > disregarding if TLS was started at connect time (smtps) or within the protocol
> > (smtp+tls, or even smtp since it does opportunistic tls).
> >
>
> I guess this is the confusing bit - seeing 'starttls' in the log
> file and thinking 'STARTTLS', i.e. the "TLS upgrade".
>

yes, maybe it should just display 'tls' instead of 'starttls'


--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: Fix descriptions of smtps vs smtp+tls in smtpd.conf.5

trondd-2
In reply to this post by Raf Czlonka-2
On Thu, October 25, 2018 2:24 am, Raf Czlonka wrote:

> On Thu, Oct 25, 2018 at 07:11:47AM BST, Gilles Chehade wrote:
>>
>> smtpd will _always_ display a 'starttls' log line when the TLS channel
>> starts,
>> disregarding if TLS was started at connect time (smtps) or within the
>> protocol
>> (smtp+tls, or even smtp since it does opportunistic tls).
>>
>
> I guess this is the confusing bit - seeing 'starttls' in the log
> file and thinking 'STARTTLS', i.e. the "TLS upgrade".
>
> R.
>

Yes, I mistakenly assumed that where it didn't log "starttls" it wasn't
using STARTTLS and therefore using TLS and where it did log "starttls"
meant it was using STARTTLS.  Silly me. :P

Unfortunatly I also didn't know which my ISP was actually using since
before, with secure:// it would try both and always sent mail.  I should
have figured out what I was dealing with first.