How do SMTP clients determine whether to use Explicit or Implicit SSL

StackOverflow https://stackoverflow.com/questions/803899

  •  03-07-2019
  •  | 
  •  

Question

Most mail clients that support SSL/TLS only require the user to say whether or not SSL should be enabled. The user doesn't have to know anything about Explicit & Implicit SSL and the differences between them.

So, how does the mail client determine which type of SSL to use? Is it based on default port numbers? Does it just try one and then the other?

Was it helpful?

Solution

A mail client must know if implicit SSL is in use when it connects, as it is responsible for initiating the SSL handshake with a ClientHello message. How it determines this is up to the client. Port numbers are a great hint, but there could also be a check box in some UI that forces it even when the standard (unprotected) port number is used.

There are IANA registered port numbers for secure mail, but some ISPs may use other ports.

  • IMAP/SSL: 993
  • POP3/SSL: 995

SMTP/SSL is often offered on port 465, but this is not registered, and is less common since support for explicit SSL is widely supported by SMTP agents.

Support for explicit SSL can be advertised by a server using a protocol-specific negotiation. For example, when a client connects to an SMTP server, and issues the EHLO command, the server will list its capabilities, which might include support for the STARTTLS command.

OTHER TIPS

Port 465 is very common among commercial mail servers and is used very often. Most often it used for implicit SSL. When you telnet to this port you will get a timeout since you must set up the SSL connection first before communications with the mail server. Thus a timeout may be the first clue you have an implicit SSL connection. You cannot use EHLO to return results because no connection other than an SSL connection is allowed. AND NO you do not simply connect to an SMTP server running implicit SSL it will not respond and will just drop the connection. That is what it is supposed to do. Explicit SSL will allow connection first and then set up SSL. AND yes implicit SSL is used often. The drawback is that the RFC standards are not specific as to how it is implemented so different developers set it up in varying ways, even though implicit SSL is considered by some as depreciated.

I believe most clients that support SMTP over SSL start out with an unencrypted connection and issue an EHLO rather than HELO. The former has extra flag responses, one of which indicates whether the server supports the STARTTLS command or not. If they do, then the client can use STARTTLS, and then use SSL from that point on.

Example:

% telnet quack.kfu.com 25
220 quack.kfu.com ESMTP ready NO UCE
EHLO client
250-quack.kfu.com Hello client [xx.xx.xx.xx] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 25000000
250-ETRN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
starttls
220 2.0.0 Ready to start TLS
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top