From Network Services

UTORmail: LAN Administrators' SSL Reference Guide

Summary: This document provides best-practices on Secure Sockets Layer (SSL) with UTORmail for LAN Administrators.

Overview

• SSLv2, SSLv3, and TLSv1 are all considered SSL protocols and often casually referred to as "SSL".
• STARTTLS is a command used in the non-SSL protocols (110 for POP, 143 for IMAP, 25 or 587 for SMTP) in order to CHANGE the connection from a non-SSL one into an SSL one (whether it uses SSLv3 or TLSv1 is irrelevant)
• For some clients, "SSL" means "connect via SSL/TLS", while "TLS" means "connect via non-SSL and issue a STARTTLS command"
• In general, the standards bodies are going toward the use of STARTTLS as it doesn't require two ports for every protocol

Why STARTTLS (instead of SSL)?

The reasoning here is that standards are going in the direction of using the same port for TLS as for non-TLS instead of allocating an additional port for every protocol in existence. Initially, ports were allocated for TLS/SSL versions of LDAP (636), HTTP (443), NNTP (563), FTP data (989), FTP control (990), TELNET (992), IMAP (993), IRC (994), POP3 (995), and of course SMTP (465). The current preferred method for using SSL/TLS over most of these protocols is to use the STARTTLS command when supported. In fact, port 465 is no longer allocated for SMTP/SSL in the official IANA port list.

What will customers experience?

No Change for Some Users
Customers using the UTORwebmail (webmail.utoronto.ca) service already sends mail securely, so no change is needed.

Many Will Need to Reconfigure Desktop E-Mail Programs
People who use desktop e-mail clients will need to configure those clients to use the authenticated SMTP server and to use authentication. This means changing the SMTP server (sometimes referred to as "outgoing mail server") address in their mail client and specifying the type of authentication to be used for sending mail.

Some Users May Be Asked to Authenticate When They Send Mail
This depends on the e-mail program they use. Many people won't notice any difference in how their mail is sent.

A Benefit for Those Whose ISPs Block Port 25
Some ISPs block Port 25. This means that some people need one SMTP setting on campus and a different one from home when they connect using their ISP. Because configuration for our authenticated SMTP service can usually be set to use a different port, people will be able to use one setting for both on-campus and off-campus connections. (That is, as long as the ISPs don't make other changes in the future.) This varies by mail client; there may be exceptions.

A Benefit for Laptop Users
Authenticated SMTP makes e-mail easier for people with laptops who send mail over different Internet connections. A number of ISPs (Internet Service Providers) block the port typically used to send unauthenticated mail. The result is that many people must use different SMTP settings from home or when traveling from the settings they use on campus. Authenticated SMTP uses a different port for sending mail, so people using authenticated SMTP do not need to change their settings when they travel or use a different ISP.

Table of Recommended SSL/TLS Configurations for Each E-mail Client

More Information on SSL

• Introduction to SSL
• TLS is a protocol from the IETF based on SSL. It will eventually supersede SSL while remaining backward-compatible with SSL implementations. For the version 1.0 of the TLS protocol specification, see The TLS Protocol.
• http://www.mozilla.org/projects/security/pki/nss/ssl/