[clue-tech] secure mail

Nate Duehr nate at natetech.com
Tue Jan 10 11:09:52 MST 2006 

Jason S. Friedman wrote:
> I host a mailserver (Postfix) from home for my own use.  I
> set-up Squirrelmail and I connect via https from the
> office.  Therefore, it seems that my password is secure,
> as well as the content of the messages as they pass from
> home to office and from office to home.  If I send mail it
> passes securely from my browser to home, and then
> insecurely over port 25 to Qwest and beyond.

Makes sense.

> I'm wanting to use Thunderbird as a mail client instead of
> Squirrelmail.  I want my password to be encrypted as it
> passes from the office to home.  I don't really care if
> the contents of my mail are encrypted.  I set up imaps
> (port 993), and configured Thunderbird to connect via
> imaps, and that seems to be working.  I can log in and
> retrieve my mail.

Good start.

> My question is about sending mail from the office.  Again,
> I want my password encrypted and I don't care about the
> content of the mail being encrypted.  I'm having a hard
> time envisioning what's going on under-the-hood.  I'm not
> running an open relay, so my SMTP servers requires the
> connecting party to be someone on the local LAN.  SMTP
> (port 25) does not require a password, but would my
> password be sent over in the clear anyway?  After sending
> mail the message gets written to a Sent folder, and a
> password would be required for that, I think?

You can set up most MTA's to do TLS or SSL encryption and also require 
authentication in order to be able to send mail through them... thus, 
you're not running an open relay, but you can still relay/deliver mail 
through them from anywhere, as long as your MUA sends username and 
password information.  Thunderbird supports this, no problem at all.

Additionally, many networks block port 25 outbound and require you to go 
through their outbound servers.  There are a number of ways around this, 
including using non-standard ports.  In RFC 2476 -- it lists port 587 is 
as a mail "submission" port.  I used this port number and haven't found 
any networks that are blocking it outbound yet... so I just use it for 
my laptop from "other" networks outside my own.  No problems getting to 
that port on my mailserver from any hotels, work network, or cellular 
carriers, so far.

I set up both SMTP-Auth and TLS on the server (which is running exim 4), 
to protect the traffic leaving whatever network I'm on, at least until 
it hits the mail server, as you mention.  Makes it harder for prying 
eyes to see what the traffic is... however using the standard port 
number will give them a clue if they decided to dig that far into it, or 
my machine was somehow causing some kind of trouble.

I've also seen people put their mail server submission port on 443 or 
similar so it would be highly unlikely that someone would block it 
outbound... as long as there's no HTTPS services on the mail server.  If 
  your Squirrelmail/Apache/SSL are running on the same machine as the 
mail server, that wouldn't be a good option.  ;-)

Nate
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list