Hello, I don't think that your TLS/SSL is set up correctly. According to your ethereal output, there is absolutely no handshake for TLS/SSL nor any transmission of some certificate. If your client / server was indeed handshaking TLS/SSL, there should be visible at least a certificate exchange in the sniffed connection. So I think you are not using TLS/SSL in this case. There could be multiple causes of this. I still think that after a successfull TLS handshake the complete session would be encrypted, including any type of authentication, especially clear text authentication. Some additional statements: If the complete session is encrypted, why should you do an additional encryption for POP? Or for SMTP-AUTH? We have setup such systems for POP and SMTP, and after taking a deeper look into the log messages, I am quite sure that TLS-handshake occurs _before_ transmission of login and pass (as I also thought before I read your post), and before transmission of any data. As the complete session should be encryted after TLS handshake, you do not need to worry about clear-text passwords. Clear-text passwords only means that the encrypting extensions of the POP protocol are not used (such as APOP and others wich do this function _independently_ of TLS/SSL). But once again, don't care about this since the complete session, including "clear-text-passwords", is protected by crytography after successfull SSL/TLS handshake, and in the most cases, you don't need an additional password encryption for an already encrypted session. An additional tip: Look into the log files of the _server_ system, which is hopefully unix or linux. If there are no messages stating a successfull TLS handshake, then there was no such handshake, and you did not use TLS at all. Furthermore, from your ethereal output I can't see sendmail stating it's capabilities for TLS - look into the lines at the beginning which start with 250- . There is no line which says "250-STARTTLS" which would be the case if your sendmail daemon could use TLS. Taking all together, I am now pretty sure that you do not use TLS/SSL at all. Please read the ethereal output of a real TLS session (taken from our systems) which I have put below. Note especially the line 250-STARTTLS after the client HELO, and note also the contents of the certificate. After transmission of the certificate, there is no plain text, and no plain login or password. I did not want to post the rest (3000 bytes of encrypted debris) here, so I would like you to just believe me that there was not a single reasonable combination of letters in the rest of the output. Regards, Peter Pfannenschmid Example correct session log: 220 sisko.itc.de ESMTP Sendmail 8.12.2/8.12.2; Tue, 19 Mar 2002 12:45:13 +0100 EHLO kira.t-online.de 250-sisko.itc.de Hello kira.itc.de [192.168.10.10], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP STARTTLS 220 2.0.0 Ready to start TLS [ W <%üëuUKÊTHqÂiH~á¹ãH¯¿à 0 J H fÿ I ÿ d b e cÿ J F <$É#[ÿ~Ãßãpƪ¦s¸lh¤4-Ût!Vú I}Ý÷ØÃW7q [ APPROX 3000 bytes more debris of the above sort from here...] At 17:26 18.03.2002 +0100, Roland Hilkenbach wrote:
Am Montag, 18. März 2002 15:59 schrieb Peter Pfannenschmid:
Hello,
just one quick question: is it really true that sendmail-tls/ssl and qpopper-tls/ssl does NOT encrypt message bodies (as stated below)? I do not want to believe this...
Thank your very much,
Peter Pfannenschmid
I felt too bad to show up with an example from Exchange so I used a server of a friend of mine to verify that TLS-Messages are send in plain text using sendmail-tls. Here's the ethereal-output again with some entries blackened:
220 xxxxxx.pureserver.de ESMTP Sendmail 8.11.3/8.11.3/SuSE Linux 8.11.1-0.5; Mon, 18 Mar 2002 17:19:32 +0100 EHLO profil-hannover.de 250-xxxxxx.pureserver.de Hello pD9E35E24.dip.t-dialin.net [217.227.94.36], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH LOGIN PLAIN 250 HELP AUTH PLAIN xxxxxxxxxxxxxxxxxxx= 235 2.0.0 OK Authenticated MAIL FROM:
250 2.1.0 ... Sender ok RCPT TO: 250 2.1.5 ... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Sender: roland Message-ID: <3C9613A8.EB203A30@profil-hannover.de> Date: Mon, 18 Mar 2002 17:19:52 +0100 From: Roland Hilkenbach X-Mailer: Mozilla 4.78 [de] (X11; U; Linux 2.4.10-4GB i686) X-Accept-Language: en MIME-Version: 1.0 To: rh@profil-hannover.de Subject: Testmail via sendmail TLS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hallo und moin moin . 250 2.0.0 g2IGJcr06461 Message accepted for delivery QUIT 221 2.0.0 xxxxxx.pureserver.de closing connection
I hope you excuse me using an exchange server for the previous example ;-)
Roland Hilkenbach
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here