STARTTLS Require TLS?
-
Does pfSense email notifications require TLS when the Enable STARTTLS option is selected? Or will it fall back to plain text?
e.g.
"STRIPTLS attacks can be blocked by configuring SMTP clients to require TLS for outgoing connections (for example, the Exim Message transfer agent can require TLS via the directive "hosts_require_tls" [12])."
https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations -
From looking at the code in /etc/inc/smtp.inc on 2.3.2, it appears to fail in various ways if it is configured for start_tls but it cannot be negotiated (e.g. server doesn't support it, client doesn't support it, etc). Looks reasonably safe.
-
Thanks Jim,
That corresponds with what I see in actual tests too.
/etc/postfix-msa/master.cf: smtpd_tls_security_level=none
pfSense E-Mail Notifications:
Port: 587, Enable STARTTLS: No, SMTP testing e-mail successfully sent
Port: 587, Enable STARTTLS: Yes, Could not send the message to xxxxx@xxxxx.com – Error: server does not support starting TLS
/etc/postfix-msa/master.cf: smtpd_tls_security_level=may
pfSense E-Mail Notifications:
Port: 587, Enable STARTTLS: No, SMTP testing e-mail successfully sent
Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent
/etc/postfix-msa/master.cf: smtpd_tls_security_level=encrypt
pfSense E-Mail Notifications:
Port: 587, Enable STARTTLS: No, Could not send the message to xxxxx@xxxxx.com -- Error: server does not require authentication, it probably requires starting TLS
Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent
This would seem to indicate that pfSense version 2.3.2 requires TLS, rather than falling back to plain text mode, when the E-Mail Notification option to "Enable STARTTLS" is selected.