Postfix/TLS - Introduction

Postfix/TLS is an extension of the Postfix [POSTFIX] MTA software to support the TLS protocol.

A note about the start of the project

When I started writing this software, I had a sophisticated way to allow relaying for roaming users in mind. In the meantime, this project is living on its own.

RFC2246: The TLS (former SSL) protocol

By default all communication on the Internet is done without encryption and without strong authentication. That does mean that everybody with physical access to the communication line along which a network packet will travel can eavesdrop on your communication. Even worse, it might be possible to redirect or alter your communication so that information, that you want to send to a party can be lost or changed without your notice.

In order to solve these security issues, the SSL protocol (Secure Socket Layers) was introduced by Netscape, Inc., which now has evolved into the standardised TLS protocol (Transportation Layer Security) as RFC2246. It offers both encryption of the communication (stopping eavesdropping) and strong authentication (making sure that both parties of a communication are correctly identified and that the communication cannot be altered).

Postfix/TLS does not realize the TLS protocol itself; it rather uses the OpenSSL package [OPENSSL] for this task. At the OpenSSL WWW-site you can also find links to in-depth documentation of the protocol and its features, so that it is not necessary to included them here. (And, of course, there is no use of re-writing what other people already wrote down, it just introduces additional errors.)

RFC2487: Introducing TLS to SMTP

The integration of the TLS protocol to Internet mail, SMTP (Simple Mail Transport Protocol) is described in RFC2487.

Unlike the first incarnations of SSL as a wrapper around normal network communications [STUNNEL] [JONAMA], the TLS protocol is now completely integrated into the ESMTP: during the startup negotiation (EHLO) the server offers the support of TLS by advertising the STARTTLS feature. The client can now send the STARTTLS command to do authentication and switch to encrypted communication.

Postfix/TLS: what can it do for you

The list of features presented here should be understood as a list of ideas. Not all of them are realized yet, please see the notes at each feature.

Postfix/TLS: what it cannot do for you

There is one thing that I explicitly want to point out:

Support by Mail User Agents

The following MUAs are known to work with RFC2487:

Other OpenSource packages

As of version sendmail-8.11, sendmail includes RFC2487 support [SENDMAIL].

Frederik Vermeulen has realized an RFC2487 extension [QMAILTLS] for the Qmail [QMAIL] MTA.

Matti Aarnio has integrated RFC2487 into ZMailer [ZMAILER].

Michal Trojnara is currently integrating basic SMTP support into his stunnel software, starting with stunnel-3.3 [STUNNEL].

Trey Childs is also working on a "wrapper" solution [SMTPS].

Commercial implementations

The commercial version of sendmail includes RFC2487 support [SENDMAIL.INC].

Netscape Enterprise Server and Microsoft Exchange Server do offer RFC2487 functionality.

The CommunigatePro mailserver software also supports RFC2487 [COMMUNIGATE].