Tuesday, January 25, 2011

sSMTP Configuration Question

I've installed sSMTP on Ubuntu 10.04 via:

sudo apt-get install ssmtp

My configuration file is:

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=someone@somedomain.com

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
#rewriteDomain=

# The full hostname
hostname=somedomain.com

# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
#FromLineOverride=YES

authuser=someone@somedomain.com
authpass=****
usestarttls=yes

Am I transmitting my credentials in clear text? Is calling ssmtp a secure operation?

Thanks.

From serverfault SevenCentral

  • Besides setting UseStartTLS you should also set UseTLS to yes. See ssmtp.conf(5).

    You could also check whether ssmtp is using an encrypted connection by sniffing the traffic with wireshark or tcpdump.

    From joschi

  • Mail submission to smtp.gmail.com:587 will fail if STARTTLS is not issued:

    [palantir]-[/var/tmp]-[528] % nc smtp.gmail.com 587                        [2:16]
220 mx.google.com ESMTP b3sm14232728ibf.7
EHLO domain.com
250-mx.google.com at your service, [67.167.112.165]
250-SIZE 35651584
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
MAIL      
530 5.7.0 Must issue a STARTTLS command first. b3sm14232728ibf.7
STARTTLS
220 2.0.0 Ready to start TLS

    For this use case, your credentials must be transmitted over TLS to be transmitted at all, so they are not being sent in the clear. Note however that while this is common behavior, this is not the required behavior -- it is quite possible that a server doesn't require TLS on the submission port, and also possible to similarly misconfigure your client.

    As joschi mentioned, you can make sure it is encrypted with any tool that can capture packets off the wire, and I'd like to add tcpflow as a suggestion as well for that.

    SevenCentral : Would you say this is the best option for sending emails through a web site via something like PHP? As opposed to setting up a mail server. I'm just looking for something simple, with minimum security risk.
    serverninja : Sure, that will work. If you choose to send directly through your code / own mailserver at some point, see http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-email-through-code.html as well.
    From serverninja
Posted by Mu Cat at 12:16 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)