Do most SMTP servers support SSL? [closed]

ssl smtp

Solution 1:

Many SMTP servers out there do support opportunistic TLS, but it's not going to really cover your needs well.

  • It's often with self-signed certificates,
  • you'll run into many domains you're unable to deliver mail to if you won't speak to relays without TLS, and
  • you have no control over what a relay does with the message once you send it on its first hop - that relay can just turn around and send it somewhere else in plaintext.

Instead, you should be looking at an end-to-end encryption solution like PGP or S/MIME, or something more user friendly like an HTTPS portal where they can read a message (after being notified of the message via plaintext SMTP).

Solution 2:

Yes, most modern Mail Submission/Transfer Agents (MSA, MTA) support encrypted connections via SSL/TLS and STARTTLS, including Exim, Postfix and Sendmail. Since you are concentrating on sending rather than receiving, it would be relatively easy to set up - you wouldn't have to obtain or generate a security certificate. However, there is no guarantee that the MSA of the recipient will support encryption, and you may encounter self-signed certificates which would need to be installed on the sending server.

Email is not generally a secure messaging platform, and you may be better served with a different solution such as that suggested by Shane Madden.

Solution 3:

I don't disagree with anything that's been said so far, but I thought I'd add my 2p-worth, and some data. SSL/TLS, like all security features, is designed to protect against a threat. Whether or not it's a good protection depends on the nature of the feature, and of the threat model.

If your threat model includes attack by a server administrator, then no amount of SSL on the wire will save you; end-to-end encryption is needed. If your threat model is limited to random snoopers, then unauthenticated SSL will help; but if your threat model includes snooping by well-equipped adversaries, then man-in-the-middle attacks become a problem, and authentication will also be needed.

If you don't have a threat model, no amount of security will help. You need to know what you're trying to protect, and against whom, before you can decide what security you need.

Just to offer some data on the ubiquity of encryption, I went and looked at a reasonably characteristic week on my mail server.

It tried to make 4411 outgoing connections during that week. 1392 were to servers that didn't offer encryption. 3019 were to servers that did; of those, 838 had certificates which could not be verified (either because they were unsigned, or because I don't trust the signer; I suspect the vast majority are the former). 2121 had certificates that logged as verified.

So by that breakdown, 32% of servers don't offer encryption, 19% do but have a self-signed certificate, and 48% had properly-signed certificates.

There are studies on the different brands of mail server out there on the internet. This one comes from Jan 2012, and suggests that both sendmail and Exchange are becoming equally unpopular. I honestly can't decide whether to laugh or cry.

Related

How do people manage their inventory of servers? [closed]
HP ML150 G6 upgrading RAM/CPU beyond specs?
w3wp.exe crash (rewrite.dll) IIS 7.5
Override SSH message when accessed via HTTP
can I use DNS with private NAT addresses?
Why don't mails show up in the recipient's mailspool?
I'm sending email via command line using linux accounts but it is adding @mail.hostname.com
Redirect with lighttpd and fastcgi on Django App
Nagios Server Unreachable
System wont boot from degraded RAID6
Shrinking or removing home partition in CentOS 7 installation [closed]
SMESERVER: Mail not receiving, 550 v=spf1 a -all