From: W. Trevor King Date: Wed, 16 Nov 2011 00:45:14 +0000 (-0500) Subject: Add SMTP post. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=193ecfd8697783eb8d723d161112f469e01145bd;p=blog.git Add SMTP post. --- diff --git a/posts/SMTP.mdwn b/posts/SMTP.mdwn new file mode 100644 index 0000000..12f5732 --- /dev/null +++ b/posts/SMTP.mdwn @@ -0,0 +1,138 @@ +Verizon blocks outgoing connections on port 25 ([SMTP][]) unless you +are connecting to their `outgoing.verizon.net` message exchange +server. This server requires authentication with your Verzon +username/password before it will accept your mail. For the purpose of +this example, our Verizon username is `jdoe`, our Verizon password is +`YOURPASS`, and were sending email from `me@example.com` to +`you@target.edu`. + + $ nc outgoing.verizon.net 25 + 220 vms173003pub.verizon.net -- Server ESMTP (...) + mail from: + 550 5.7.1 Authentication Required + quit + 221 2.3.0 Bye received. Goodbye. + +Because authenticating over an unencrypted connection is a Bad Idea™, +I was looking for an encrypted way to send my outgoing email. +Unfortunately, Verizon's exchange server does not support [STARTTLS][] +for encrypting connections to `outgoing.verizon.net:25`: + + $ nc outgoing.verizon.net 25 + 220 vms173003pub.verizon.net -- Server ESMTP (...) + ehlo example.com + 250-vms173003pub.verizon.net + 250-8BITMIME + 250-PIPELINING + 250-CHUNKING + 250-DSN + 250-ENHANCEDSTATUSCODES + 250-HELP + 250-XLOOP E9B7EB199A9B52CF7D936A4DD3199D6F + 250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5 + 250-AUTH=LOGIN PLAIN + 250-ETRN + 250-NO-SOLICITING + 250 SIZE 20971520 + starttls + 533 5.7.1 STARTTLS command is not enabled. + quit + 221 2.3.0 Bye received. Goodbye. + +Verizon [recommends][verizon] pre-STARTTLS approach of wrapping the +whole SMTP connection in TLS ([SMTPS][]), which it provides via +`outgoing.verizon.net:465`: + + $ python -c 'from base64 import *; print b64encode("\0jdoe@verizon.net\0YOURPASS")' + AGpkb2VAdmVyaXpvbi5uZXQAWU9VUlBBU1M= + $ openssl s_client -connect outgoing.verizon.net:465 + ... + 220 vms173013pub.verizon.net -- Server ESMTP (...) + ehlo example.com + 250-vms173013pub.verizon.net + 250-8BITMIME + 250-PIPELINING + 250-CHUNKING + 250-DSN + 250-ENHANCEDSTATUSCODES + 250-HELP + 250-XLOOP 9380A5843FE933CF9BD037667F4C950D + 250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5 + 250-AUTH=LOGIN PLAIN + 250-ETRN + 250-NO-SOLICITING + 250 SIZE 20971520 + auth plain AGpkb2VAdmVyaXpvbi5uZXQAWU9VUlBBU1M + 235 2.7.0 plain authentication successful. + mail from: + 250 2.5.0 Address Ok. + rcpt to: + 250 2.1.5 you@target.edu OK. + data + 354 Enter mail, end with a single ".". + From: Me + To: You + Subject: testing + + hello world + . + 250 2.5.0 Ok, envelope id 4BHMFEZ7PHSETMT6@vms173013.mailsrvcs.net + quit + 221 2.3.0 Bye received. Goodbye. + closed + +This works, but with the rise of STARTTLS, getting your local +[[Postfix]] mail server to support SMTPS requires a bit of +[fancyness][] with [[stunnel]]. The stunnel workaround is not too +complicated, but I also wanted to look into the [submission][] +protocol (port 587), which adapts SMTP (designed for message transfer) +into a similar protocol for message submission. Unfortunately, +Verizon does not support STARTTLS here either. + + $ nc outgoing.verizon.net 587 + 220 vms173005.mailsrvcs.net -- Server ESMTP (...) + ehlo example.com + 250-vms173005.mailsrvcs.net + 250-8BITMIME + 250-PIPELINING + 250-CHUNKING + 250-DSN + 250-ENHANCEDSTATUSCODES + 250-EXPN + 250-HELP + 250-XADR + 250-XSTA + 250-XCIR + 250-XGEN + 250-XLOOP DA941C5B31BE4B102BB69B809BC66C4A + 250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5 + 250-AUTH=LOGIN PLAIN + 250-NO-SOLICITING + 250 SIZE 20971520 + starttls + 533 5.7.1 STARTTLS command is not enabled. + quit + 221 2.3.0 Bye received. Goodbye. + +In conclusion, Verizon supports a number of email submission +standards, but the only secure approach is to use the outdated SMTPS. +See my [[Postfix]] post for details on configuring Postfix to use +Verizon's server for outgoing mail. + +There are a number of good SMTP authentication tutorials out there. I +used [John Simpson][JS] and [Erwin Hoffmann's][EH] tutorials. For +cleaner examples of my testing tools (`nc` and `openssl s_client`), +see my [[simple_servers]] post. + +[SMTP]: http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol +[STARTTLS]: http://en.wikipedia.org/wiki/STARTTLS +[verizon]: http://www22.verizon.com/residentialhelp/fiosinternet/email/setup+and+use/questionsone/86782.htm +[SMTPS]: http://en.wikipedia.org/wiki/SMTPS +[fancyness]: http://www.postfix.org/TLS_README.html#client_smtps +[submission]: http://tools.ietf.org/html/rfc4409 +[JS]: http://qmail.jms1.net/test-auth.shtml +[EH]: http://www.fehcom.de/qmail/smtpauth.html + +[[!tag tags/linux]] +[[!tag tags/tools]] +[[!tag tags/web]]