Is connection to SMTP server secure? - ssl

I would like to be sure on a point about connection to an SMTP server.
If I am using SSL to connect to an SMTP server, are my password and username encrypted to connect to the SMTP server ?
Thank you for your help
Cheers

They should be. Either your server should require the entire SMTP session to be SSL, or, after the initial connection, your SMTP session will switch to SSL.
I've never known a SMTP server that required SSL, that didn't encrypt the creds.

Related

Issue while trying to configure outgoing mail server

I tried setting up the outgoing server with the following credentials:
SMTP Server : smtp.office365.com, SMTP Port : 25, Connection Security :TLS (STARTTLS), Username : ***, Password : ***
The Test connection is successful, but my outgoing mail is failed with the following message:
Mail delivery failed via SMTP server 'smtp.office365.com'.
SMTPDataError: 554
5.2.252 SendAsDenied
Any clue will be helpful..
Try to set right configurations for outgoing SMTP server based on Google guides.
The outgoing SMTP server, smtp.gmail.com, supports TLS. If your client
begins with plain text, before issuing the STARTTLS command, use port
465 (for SSL), or port 587 (for TLS).

filezilla can't connect to vsftpd with TLS, but does work with unencrypted connection

I set up my server on centos7
From client side(not localhost), I can connect and transfer files to server with unencrypted connection but can't connect with TLS
It's my vsftpd.conf:
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
rsa_cert_file=/home/user/server/sync.crt
rsa_private_key_file=/home/user/server/sync.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=60000
pasv_address=1.1.1.1
and filezilla's errorcode:
Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
425 Failed to establish connection.
How do I solve this problem?
This kind of error typically happens when a data connection cannot be created to transfer files or directory listings. Such data connections are done using dynamic ports, where in case of PASV the port to use is announced by the server within the response to the PASV command.
Firewalls often employ helpers to scan the traffic and look for such responses announcing which port the client should use - and then temporarily allowing such access. In case of plain FTP without encryption the firewall can see the response and determine the port to open - then it works. But, in case of FTPS the control connection is encrypted and therefore the firewall only sees encrypted communication and cannot determine the port to open - then it fails.

KEYCLOAK Test Connection doesn't work "Error! Failed to send email"

I am trying to use the Forgot Password function for my Keycloak authentication. So I have already set On for the Forgot Password in the Login section. And I have tried to set up the configurations under Realm Email.
In the email tab I entered
host smtp.gmail.com
smtp port 465
username ***#gmail.com
SSL enabled
Authentication - enabled with username and password
But when i'm testing the connection, I keep getting the error "Error! Failed to send email".
Any Help would be highly appreciated, Thank you.
You need to provide your email address to Keycloak administrator's email address, and turn on "Allow less secure apps" on Google account settings page.
https://support.google.com/accounts/answer/6010255?hl=en
If succeed, you can see SMTP test message from Keycloak in your mail box.
Here you have used the wrong port with enabling SSL
If SSL is enabled ---> port should be 456
If StartTLS is enabled ---> port should be 587

Authentication with STARTTLS and SSL/TLS

As far as I understood, both encrypt the connection. However, SSL/TLS "forces" the mail client to encrypt the channel from the beginning. Now let's say I telnet mail.server 25 and, after the ehlo, I am presented with STARTTLS as an authentication option that the server allows me (the mail client) to use. If I choose STARTTLS does it mean that I can authenticate myself (mail client) against the server (using my digital certificate)? why and how?
I am doing as follows but I don't understand where does the client authentication part comes in:
telnet some.mail.server 25
ehlo some.mail.server
...
250-STARTTLS
...
STARTTLS
mail from: guy
rcpt to: otherGuy
data
someting
.
quit
Shouldn't I be sending the client certificate to the server? I tried this using openssl s_client -starttls smtp which actually provides a -cert and -key options to specify the certificate and private key.
So, in fact, the only disadvantage of SSL/TLS compared to STARTTLS is that since the connection is immediately encrypted, there is no way for the client to send its certificate on the same port. Only the server can send its certificate. Correct? A lot of confusion in my head... Please clarify this for me.
Both direct TLS mode and TLS upgrade using STARTTLS can use client certificates.
The only difference between these modes is that with STARTTLS you start with a plain connection and later upgrade if the server announces support for STARTTLS. A man in the middle could strip this announcement (similar to sslstrip) and thus prevent the upgrade to TLS. This is actually used in practice, see https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks.
Unfortunately MX records, which are used to announce which servers are responsible for the mail transfer, can only announce hosts and no ports and in this case the default port 25 will be used with the plain SMTP protocol. Thus you can only get TLS by using the STARTTLS command.

Establish DDP connection over SSL to Meteor app

When a Meteor client uses DDP.connect() to connect to a DDP server, it's sent in plaintext. How can we establish SSL encrypted DDP connections?
Meteor relays on SockJs, according to SocksJs README: From SockJS' point of view there is nothing special about SSL/HTTPS. Connecting between unencrypted and encrypted sites should work just fine.
My code:
var connection = DDP.connect("ws://127.0.0.1:3000");
If you switch from ws to wss (WebSocket Secure), if the host supports ssl, it will be used. In my localhost, I don't ssl installed and It doesn't fallback to ´ws´, you've to manually code it if you want so.