CONFIGURING


Securing SMTP sessions using the STARTTLS extension

SMTP sessions conducted over a standard TCP/IP channel are vulnerable to eavesdropping because the unencoded transmission can be easily intercepted. To protect SMTP communications, servers can use transport-layer security (TLS), more commonly known as TLS encryption, to provide privacy and authentication.

Some servers support TLS for SMTP communications by sending and receiving SMTP traffic through the TLS port (port 465 by default) only. However, because this requires that both the sending and receiving servers support SMTP over TLS, this solution isn't always practical.

To provide TLS security for SMTP transfers over TCP/IP, Domino® supports the use of negotiated TLS. In a negotiated TLS scheme, the sending and receiving hosts each use the SMTP STARTTLS extension, defined in RFC 2487, to signal their readiness to negotiate an TLS connection. The receiving server displays the STARTTLS keyword in response to the sending server's EHLO command. The sending server issues the STARTTLS command to request the creation of a secure connection. After the initial TLS handshake completes successfully, the two parties proceed to set up an TLS channel between them. Both the sending and receiving server must possess TLS certificates.

Supporting STARTTLS for outbound SMTP sessions

A Domino server configured to use negotiated TLS for outbound mail connects to the receiving server's SMTP TCP/IP port (port 25 by default). If the initial SMTP response from the receiving server indicates that it supports the STARTTLS extension, Domino issues the STARTTLS command to request the use of TLS to encrypt the rest of the session.

If the receiving server did not advertise support for STARTTLS in response to the Domino server's EHLO command, the sending Domino server continues with an unencrypted SMTP TCP/IP session.

To enable outbound STARTTLS support, set the SMTP outbound TCP/IP port status to:Negotiated TLS.

Supporting STARTTLS for inbound SMTP sessions

You can configure Domino to support the STARTTLS command for inbound SMTP transactions. When a Domino SMTP server is set to use negotiated TLS for inbound sessions, the server advertises support for STARTTLS in response to EHLO commands the TCP/IP port receives from connecting hosts. A connecting host can then issue the STARTTLS command to request an encrypted session.

If Domino is configured to require STARTTLS for SMTP sessions over TCP/IP and a connecting host cannot meet this demand, no mail is sent over the connection.

To enable inbound STARTTLS support:


Requiring name and password authentication for SMTP STARTTLS sessions

Enabling ESMTP support for negotiated TLS allows a server to accept requests to use TLS over TCP/IP from remote servers that connect anonymously. However, not all inbound connections are anonymous. A connecting SMTP server may be configured to send Domino a name and password by means of the ESMTP AUTH command.

To support connections from SMTP clients that send a name and password during a negotiated TLS session, set the value of the Name & password field for the SMTP inbound TLS port to Yes. You do not have to enable the TLS port. If the TLS port does not support name-and-password authentication, the Domino SMTP server rejects the AUTH command from the remote server and returns an error indicating that the command is not implemented.

Even though Domino receives the AUTH command over the TCP/IP port, Domino uses the TLS name-and-password authentication settings to determine whether to accept the AUTH request because it receives the command in the context of an TLS session. The Name & password authentication setting for the TCP/IP port is ignored.

Related concepts
Customizing SMTP Routing
TLS security

Related tasks
Changing outbound SMTP port settings
Enabling a server to receive mail sent over SMTP routing
Changing the inbound SMTP port settings
Supporting inbound SMTP extensions