As we start moving towards a more secure internet (not just HTTP) I have noticed more people starting to ask questions about secure mail protocols and how to test.
This tutorial is about that and hopes it helps out in the future
You will need openssl and python but if you are using certbot you should already have these installed.
Protocols, Definitions
STARTTLS and Why It’s Significant
Testing TLS Connectivity with OpenSSL - GMAIL SMTP
Testing TLS Connectivity with OpenSSL - GMAIL IMAP GMAIL POP
How To Talk Protocols - Once TLS Connectivity is established
PROTOCOL - much like a language. 3 Main Protocols in use are POP, IMAP and SMTP. A comparison can be found here: http://www.contactgenie.info/understanding-email-protocols-pop-imap-mapi-eas/. We will focus on IMAP, POP and SMTP as they are easy to find and work with. MAPI and some of the others are Vendor Specific and require exchange/compatible servers to test.
TRANSPORT - how we connect and communicate with the server. Unlike HTTP which has secure and non secure mail protocols have a 3rd option. Below are the definitions of the 3 ways we can talk to a mail server (using any of the above protocols)
A) IMPLICITLY Secure - like HTTPS - all communications are encrypted from the begining
B) EXPLICITY Secure - the closest comparison would be a redirect. Where we start talking HTTP and then the server tells us to move to HTTPS. (This is a very loose comparison)
C) UNSECURE - HTTP essentially
PORT - something we can connect to. A port can be connected to using multiple TRANSPORT methods and may talk multiple PROTOCOLS. There are recommended port configurations for mail protocols and these can be found here: https://www.siteground.com/tutorials/email/pop3-imap-smtp-ports.htm. Think of this like port 80 and 443 in HTTP and HTTPS. We can listen on other ports like 3000 for NodeJS but usually browsers expect to connect on port 80.
One of the things that will catch out many people coming from the web world is the concept of STARTTLS.
If you are used to things being secure on insecure you may wonder can you have a mix of both and why would you. Both are explained in the fastmail link above so I am not going to worry about the theory.
Let’s do some testing.
Having a look at Googles SMTP service we can see port 25 is open. We know that Google is pretty good about security so we can assume that they won’t let people connect with insecure protocols.
However this doesn’t seem to be the case. As we have a session and we can type things in it.
Now let’s see what happens when we try to use the AUTH LOGIN command (how SMTP logs you in)
The error message says we need to run the STARTTLS command first (which we do)
And after a while you will get disconnected.
The key takeaway - while we can connect insecurely we are limited as to what we can do until we tell the server to start using Secure Connections.
Testing TLS Connectivity with OpenSSL - GMAIL SMTP
NOTE: for now as long as we get a command prompt we consider the connection to have passed (we are not doing any PROTOCOL testing. We are just checking TRANSPORT)
Port 465 is designated as STMPS or SMTP over SSL and we should be able to connect without the STARTTLS negotiation.
NOTE: for now as long as we get a command prompt we consider the connection to have passed (we are not doing any PROTOCOL testing. We are just checking TRANSPORT)
The Second Message is the response of the STARTTLS command (not all servers have the same response)
The third is the peer certificate returned (this is to test self signed certs)
The fourth is the Domains in the certificate (check for hostname errors etc)
The fifth is the cipher suite (so we can see what cipher the server chose)
The next bits are an attempt to login using the protocols defined methods. NOTE: each protocol varies which is why the Encoded strings etc are printed out.
NOTE ALSO: the script uses changeme@gmail.com and changeme as defaults. If you want to use it change these but DO NOT post the output of the last bits
