Email Tutorials - Herong's Tutorial Examples - v1.03, by Herong Yang
What Is SMTPS
This section provides a quick introduction on SMTPS (Simple Mail Transfer Protocol Secure) for message transmission. A SMTPS sample session of submitting an email message using the 'openssl s_client' command is included.
What Is SMTPS? - SMTPS (Simple Mail Transfer Protocol Secure) is a method to secure a SMTP communication by wrapping it under a SSL (Secure Socket Layer) or TLS (Transport Layer Security) connection.
Running a SMTPS communication requires the email message agents on both sides of the communication to meet server authentication requirements defined by the PKI (Public Key Infrastructure) standard:
By default, a MSA listens on port 465 for SMTPS connection requests. Here is a sample session of submitting an email message with SMTPS using "openssl s_client" as the MUA. The receiving MSA is a Postfix server.
herong$ openssl s_client -connect 127.0.0.1:465 CONNECTED(00000003) depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, ... verify error:num=18:self signed certificate verify return:1 Server certificate -----BEGIN CERTIFICATE----- MIIGGjCCBAKgAwIBAgICEAQwDQYJETAPBgNVBAoMCFRhcmdldFJ4MQswCQYDVQQL ... -----END CERTIFICATE----- ... SSL handshake has read 2589 bytes and written 441 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: F3A1B3CF00795C0F55ED00CBF3F3FB8A3D37B71C9A7CC877E9EB... Session-ID-ctx: Master-Key: 4ECD153D2688864C9D24FC2720E7E0A05F64EA0FB1FCD15F4501... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 7200 (seconds) ... 220 mail.herongyang.com ESMTP Postfix ehlo 127.0.0.1 250-mail.herongyang.com ... 250 SMTPUTF8 mail from: herong 250 2.1.0 Ok rcpt to: herong 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Hello encrypted world! . 250 2.0.0 Ok: queued as D86E9266002D quit 221 2.0.0 Bye Connection closed by foreign host.
Note that "openssl s_client" actually failed to validate the server certificate. It returned the "verify return:1" message, because I did not tell "openssl" to trust the self-signed server certificate.
SMTPS method can also support client authentication to ensure that only authorized clients can connect the server.
Table of Contents
Postfix - Mail Transport Agent (MTA)
SSL/TLS Secure Connections with Postfix Server
Dovecot - IMAP and POP3 Server
SSL/TLS Secure Connections with Dovecot Server
Email Client Tools - Mail User Agents (MUA)