TLS (Transport Layer Security) is the same encryption protocol used by secure web pages, such as those used by online stores and banking facilities. TLS and its predecessor SSL (Secure Socket Layer) are generally considered the most (if not the only) secure protocols for sending sensitive information across the Internet. When you use DMail and TLS with a client that supports it, you protect the security of your system, and your users privacy, by ensuring people cannot intercept passwords, user-names and mail.
TLS is a protocol from the IETF (Internet Engineering Task Force), and is based on SSL, which was developed by Netscape. It will eventually supersede SSL while remaining backward-compatible with SSL implementations.
All versions of DMail after 3.0b support TLS, provided you are running on a version of Windows (NT, 2000, 9x). If you're unsure of what version you're running, run the command 'tellpop status', and look at the results. For example, if you're running DMail 3.0c, you'll see something like:
Tellpop 2.8z5
Error: Unknown ini file setting {log_channel_status} ignored
+OK 7
DPOP Version 3.0c port:110 started Jul 11 13:58:27
The output above indicates that you are running DPOP 3.0c.
Provided you are running a version of DMail that supports TLS, you need to copy your certificate file (server.pem) into the DMail work directory, and add one or more of the following settings to dmail.conf. Note that all the settings take comma-separated lists of IP address as their only parameters.
| dpop_allow_ssl |
Specifies the IP numbers from which users can initiate TLS connections to the POP server. For example, if you wanted to allow POP via. TLS for all users with IP addresses 127.0.0.1, and anything beginning with 10.0.0, you would use: dpop_allow_ssl 127.0.0.1,10.0.0.* |
|---|---|
| dpop_require_ssl |
Specifies the IP numbers from which users are only allowed to connect to the POP server if they use encryption. For example, if you wanted to require POP via. TLS for all users with IP addresses 127.0.0.1, and anything beginning with 10.0.0, you would use: dpop_require_ssl 127.0.0.1,10.0.0.* |
| show_tls |
Specifies the IP numbers from which users can initiate TLS connections to the SMTP server. For example, if you wanted to allow SMTP via. TLS for all users with IP addresses 127.0.0.1, and anything beginning with 10.0.0, you would use: show_tls 127.0.0.1,10.0.0.* |
| require_tls |
Specifies the IP numbers from which users can only connect to the SMTP server if they initiate TLS. For example, if you wanted to require SMTP via. TLS for all users with IP addresses 127.0.0.1, and anything beginning with 10.0.0, you would use: require_tls 127.0.0.1,10.0.0.* |
| require_tls_out |
Specifies the IP numbers of servers to which DSMTP will only connect using TLS. For example, if you wanted to require outgoing SMTP via. TLS for all users with IP addresses 127.0.0.1, and anything beginning with 10.0.0, you would use: require_tls_out 127.0.0.1,10.0.0.* |
| require_tls_except |
Specifies the IP numbers from which servers are exempt from require_TLS_out rules. For example, if you wanted to exempt all servers with IP addresses 127.0.0.1, and anything beginning with 10.0.0, you would use: require_tls_except 127.0.0.1,10.0.0.* |
DMail is distributed with a sample certificate. For high level security you should consider getting your own server certificate. This means that clients can be sure that they are talking to your server and not just someone pretending to be your server.
In order to obtain such a certificate, a script is provided. To use the script to obtain a CA signed key, simply follow these steps:
Open a DOS window.
Change into the DMail directory (usually C:\DMAIL).
Run the script by typing:
make_ca.cmd
Answer any questions the script asks.
Once the script has finished running, you will have in your DMail directory two files, request.pem and privkey.pem. You then need to visit the site of a CA registrar, for example Verisign, and paste request.pem into their registration form.
The registrar will then send you the actual key. Save that key as server.pem, then merge the privkey.pem file onto the end of server.pem. Next, move the server.pem file into the DMail work directory (usually C:\DMAIL\WORK). You should be left with a server.pem that looks like this:
-----BEGIN RSA PRIVATE KEY----- MIICXwIBAAKBgQDWIbB1JXWYjC/rupEEks0+5LFXhdN6BSNRDnzH2rWHGidibME6 n5PwZslvrX4FO8CwgtbygVfzPalmupVLQOEtNzeM7s13TEQBVqUacHbyjvXfKzFx PMT/EANSVJ/RKxN1nLk5wHk1zGjFf7p8+42HABGadwK1yHhda0lG2VHODwIDAQAB AoGBAJBiOvdigL6RmCZcsDfjPJ2x2ppnVEcse7nGCQFBSbGFQxUsu8Xpn/kzdZPl 6dlhhvX94y21ZTZQV487NDt/zdRRH3hcMZcFsOC/7f87JhrIlsT9N4s6lAodOmaS AOxzOeHahNv9Qyc7ZzVjhb3TUQm8Hrp/1VLm80mPTEwvlSFxAkEA9LvLAVFpeh2y BNaMsRjUPjw9YJzuwKp7gEEWtLG3LeBG5hQef2xJYd4K4v/r6rjVf/NnRH99yZ5e 94UpQs5rpQJBAN/9P9aaFCa1D/7eGIiXYOLplxva6tGpScvdmdqhHoqn0Nmqkn/7 FtqLX4oXZm758uv48kOmWB9xWtaWM7IC9KMCQQDhT8MmA33IH261ZZFBukoswej/ +XsVhd8NxN7SnIq4gbLEP+GUDm3A3FvJgTQBdQmaMszwEzALXvKvjrjd+IzBAkEA 2xvUD+zHW5nxHMNLwoo6h54zaFc9L31nqBqNf3Xu93nz7olSKAmKMJz4B5Cebl7p R/ZNnumg+JkdYB6sUS1c+wJBAI+5qrw4Iy3RE0WJgGBU4jm444O02p4dGA0mHI7w qAlXHwIHTSkHO+j8Go5FJpHQKnXx5JjdGOsiiC/z+NMTBJQ= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIID0zCCAzygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqDELMAkGA1UEBhMCTlox FTATBgNVBAgTDE5vcnRoIElzbGFuZDERMA8GA1UEBxMIQXVja2xhbmQxGjAYBgNV BAoTEVRFU1RJTkcgU1VSR0VGVFAgMRAwDgYDVQQLEwdURVNUSU5HMRowGAYDVQQD ExF0ZXN0c3VyZ2VmdHAudGVzdDElMCMGCSqGSIb3DQEJARYWdGVzdEB0ZXN0c3Vy Z2VmdHAudGVzdDAeFw0wMTAzMDcwMTU4MTZaFw0wMjAzMDcwMTU4MTZaMIGoMQsw CQYDVQQGEwJOWjEVMBMGA1UECBMMTm9ydGggSXNsYW5kMREwDwYDVQQHEwhBdWNr bGFuZDEaMBgGA1UEChMRVEVTVElORyBTVVJHRUZUUCAxEDAOBgNVBAsTB1RFU1RJ TkcxGjAYBgNVBAMTEXRlc3RzdXJnZWZ0cC50ZXN0MSUwIwYJKoZIhvcNAQkBFhZ0 ZXN0QHRlc3RzdXJnZWZ0cC50ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDWIbB1JXWYjC/rupEEks0+5LFXhdN6BSNRDnzH2rWHGidibME6n5PwZslvrX4F O8CwgtbygVfzPalmupVLQOEtNzeM7s13TEQBVqUacHbyjvXfKzFxPMT/EANSVJ/R KxN1nLk5wHk1zGjFf7p8+42HABGadwK1yHhda0lG2VHODwIDAQABo4IBCTCCAQUw HQYDVR0OBBYEFIShJXLofWDuDE7exOZ+3MV1yH3eMIHVBgNVHSMEgc0wgcqAFISh JXLofWDuDE7exOZ+3MV1yH3eoYGupIGrMIGoMQswCQYDVQQGEwJOWjEVMBMGA1UE CBMMTm9ydGggSXNsYW5kMREwDwYDVQQHEwhBdWNrbGFuZDEaMBgGA1UEChMRVEVT VElORyBTVVJHRUZUUCAxEDAOBgNVBAsTB1RFU1RJTkcxGjAYBgNVBAMTEXRlc3Rz dXJnZWZ0cC50ZXN0MSUwIwYJKoZIhvcNAQkBFhZ0ZXN0QHRlc3RzdXJnZWZ0cC50 ZXN0ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAzLPyVFgvoqof ZdLVAxrBw+IwOdM+FmjdLN5/nTHJ3+psek0z/s8v2If8qyc9tioDSVfHN/8OFbBJ rQl5RITCPoEjPy/ZLrG12TVf78OD50DFHHmCaJETPFEp4ZUx8aIEsknPY9prI8ei fJMh2824GGLNa9HF05r1so7pF7dESGk= -----END CERTIFICATE-----
Finally, stop and start DMail using the DMAdmin tool. You will then have a system capable of accepting encrypted connections.
You can use any mail client that supports TLS encryption using the STLS command. We have tested the following clients with encrypted mail from DMail, and have found them to work correctly:
The following links are to resources you may find useful in studying the way in which TLS, and particularly TLS with POP / SMTP, works: