STARTTLS Require TLS?



  • Does pfSense email notifications require TLS when the Enable STARTTLS option is selected?  Or will it fall back to plain text?

    e.g.
    "STRIPTLS attacks can be blocked by configuring SMTP clients to require TLS for outgoing connections (for example, the Exim Message transfer agent can require TLS via the directive "hosts_require_tls" [12])."
    https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations


  • Rebel Alliance Developer Netgate

    From looking at the code in /etc/inc/smtp.inc on 2.3.2, it appears to fail in various ways if it is configured for start_tls but it cannot be negotiated (e.g. server doesn't support it, client doesn't support it, etc). Looks reasonably safe.



  • Thanks Jim,

    That corresponds with what I see in actual tests too.


    /etc/postfix-msa/master.cf: smtpd_tls_security_level=none

    pfSense E-Mail Notifications:
    Port: 587, Enable STARTTLS: No,  SMTP testing e-mail successfully sent
    Port: 587, Enable STARTTLS: Yes, Could not send the message to xxxxx@xxxxx.com – Error: server does not support starting TLS


    /etc/postfix-msa/master.cf: smtpd_tls_security_level=may

    pfSense E-Mail Notifications:
    Port: 587, Enable STARTTLS: No,  SMTP testing e-mail successfully sent
    Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent


    /etc/postfix-msa/master.cf: smtpd_tls_security_level=encrypt

    pfSense E-Mail Notifications:
    Port: 587, Enable STARTTLS: No,  Could not send the message to xxxxx@xxxxx.com -- Error: server does not require authentication, it probably requires starting TLS
    Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent


    This would seem to indicate that pfSense version 2.3.2 requires TLS, rather than falling back to plain text mode, when the E-Mail Notification option to "Enable STARTTLS" is selected.


Log in to reply