Re: Clarification about forced TLS connections with remote mailboxes and smtp

[Eli Zaretskii <eliz@gnu.org>]

> From: BP25 <bp25@riseup.net>
> Date: Tue, 23 Apr 2024 16:57:19 +0100
> 
> I have a few questions. Is there a kind soul who would clarify a few
> things for me please?

I will try, but in general, all the info is in the Mailutils and Emacs
manuals, ready for you to read on.

> 1. I use Rmail to fetch my messages from remote mailboxes. Do you know
> if using the url starting with pops:// or imaps:// always forces the
> connection to be encrypted via TLS over SSL?

The Mailutils manual says:

  pops
       Remote mailbox accessed using the "Post Office Protocol" (POP3).
       The transmission channel is encrypted using the "transport layer
       security" (TLS).  The default port is 995.

and similarly about imaps.

> 1a. Then what happens when only the Emacs movemail is available? I think
> that no encrypted connection is supported for the POP protocol then.

The version of movemail that comes with Emacs does not support pops
and imaps, so you will get failure to fetch email with some error
message.

> 1b. Suppose we're using instead the Mailutils movemail: does the --tls
> flag only affect connections with URL starting by pop:// or imap://, and
> doesn't affect connections whose URL starts by pops:// or imaps://?

Not clear.  Why is that important?

> 2. I read on the movemail manual ``The deprecated POP3S protocol is also
> supported. It is enabled by an URL beginning with pops:// instead of
> pop://'' but I read on the Emacs manual ``If using Mailutils movemail,
> you may wish to use ‘pops’ in place of ‘pop’.'' therefore I'm confused
> on whether this syntax is obsolete or recommended!

The latest Mailutils manual doesn't say this, and I think it was only
relevant to pop3d, the daemon, so not relevant for you.

> I use Message and I send emails by using smtpmail-send-it. I also set
> variables smtpmail-smtp-service 465 and smtpmail-stream-type 'ssl.
> 
> 3a. Does setting either one of these last two varibales already force
> the connection to happen via TLS over SSL?

smtpmail is about _sending_ email, not about _receiving_ it.  So you
are now asking about a different functionality altogether.

The Emacs user manual says:

  The value of ‘send-mail-function’ should be one of the following functions:
  [...]
  ‘smtpmail-send-it’
       Send mail through an external mail host, such as your Internet
       service provider's outgoing SMTP mail server.  If you have not told
       Emacs how to contact the SMTP server, it prompts for this
       information, which is saved in the ‘smtpmail-smtp-server’ variable
       and the file ‘~/.authinfo’.  *Note Emacs SMTP Library:
       (smtpmail)Top.

IOW, the preferred way of using smtpmail is by having the ~/.authinfo
file.  If you have ~/.authinfo, smtpmail-stream-type should be nil.
Whether the connection is encrypted depends on the SMTP server;
usually using a certain port which is documented to accept encrypted
connections will make your connection encrypted.

> 3b. If neither of the two variables is set but the SMTP server I use
> says that:
> 
> --8<---------------cut here---------------start------------->8---
>  ``If your mail client does not support secure SMTP, you cannot use our
> server as your SMTP. You might have the option of choosing either TLS or
> SSL for the secure connection. Both protocols work, but most ISPs will
> block port 25 (used by TLS), so we recommend that you choose SSL'' and
> later adds that ``For security reasons, we no longer support SSL.''
> --8<---------------cut here---------------end--------------->8---
> 
> then does it mean that I cannot have accidentally exposed my login
> details or other information by initiating a nonencrypted connection?

I don't think the above citation says anything about disclosing your
login details.  It's a general statement that warns you about using
insecure SMTP.

> 3c. Do you agree that the quoted information from my SMTP server above
> is confusing?

Maybe (you only show a small part of it), but in any case, that server
is not part of Emacs, is it?