Clarification about forced TLS connections with remote mailboxes and smtp

Clarification about forced TLS connections with remote mailboxes and smtp

[BP25]

Hello,

I have a few questions. Is there a kind soul who would clarify a few
things for me please?

1. I use Rmail to fetch my messages from remote mailboxes. Do you know
if using the url starting with pops:// or imaps:// always forces the
connection to be encrypted via TLS over SSL?

1a. Then what happens when only the Emacs movemail is available? I think
that no encrypted connection is supported for the POP protocol then.

1b. Suppose we're using instead the Mailutils movemail: does the --tls
flag only affect connections with URL starting by pop:// or imap://, and
doesn't affect connections whose URL starts by pops:// or imaps://?

2. I read on the movemail manual ``The deprecated POP3S protocol is also
supported. It is enabled by an URL beginning with pops:// instead of
pop://'' but I read on the Emacs manual ``If using Mailutils movemail,
you may wish to use ‘pops’ in place of ‘pop’.'' therefore I'm confused
on whether this syntax is obsolete or recommended!

I use Message and I send emails by using smtpmail-send-it. I also set
variables smtpmail-smtp-service 465 and smtpmail-stream-type 'ssl.

3a. Does setting either one of these last two varibales already force
the connection to happen via TLS over SSL?

3b. If neither of the two variables is set but the SMTP server I use
says that:

--8<---------------cut here---------------start------------->8---
 ``If your mail client does not support secure SMTP, you cannot use our
server as your SMTP. You might have the option of choosing either TLS or
SSL for the secure connection. Both protocols work, but most ISPs will
block port 25 (used by TLS), so we recommend that you choose SSL'' and
later adds that ``For security reasons, we no longer support SSL.''
--8<---------------cut here---------------end--------------->8---

then does it mean that I cannot have accidentally exposed my login
details or other information by initiating a nonencrypted connection?

3c. Do you agree that the quoted information from my SMTP server above
is confusing?

Re: Clarification about forced TLS connections with remote mailboxes and smtp

[BP25]

BP25 writes:

> Hello,
>
> I have a few questions. Is there a kind soul who would clarify a few
> things for me please?

4. And by the way, why don't releases of Emacs ship the version of
movemail by mailutils which is current at the time of the release, and
instead come with -- as far as I understand -- an obsolete version
(which doesn't support encrypted POP)?

Re: Clarification about forced TLS connections with remote mailboxes and smtp

[Stefan Monnier via Users list for the GNU Emacs text editor]

>> I have a few questions. Is there a kind soul who would clarify a few
>> things for me please?
> 4. And by the way, why don't releases of Emacs ship the version of
> movemail by mailutils which is current at the time of the release, and
> instead come with -- as far as I understand -- an obsolete version
> (which doesn't support encrypted POP)?

Because you should not use Emacs's `movemail`, it's deprecated.
Use Mailutils's instead.


        Stefan

Re: Clarification about forced TLS connections with remote mailboxes and smtp

[Eli Zaretskii]

> From: BP25 <bp25@riseup.net>
> Date: Tue, 23 Apr 2024 17:24:40 +0100
> 
> 4. And by the way, why don't releases of Emacs ship the version of
> movemail by mailutils which is current at the time of the release, and
> instead come with -- as far as I understand -- an obsolete version
> (which doesn't support encrypted POP)?

We cannot ship a program from another package, which is developed by
its own team.  We could only stop shipping our own movemail.  At the
time we decided not to do that drastic step, and instead added to the
configure script code to detect an existing installation of Mailutils,
and a warning message if there was none.

If you have Mailutils installed, Emacs will use its movemail, not the
one which comes with Emacs.

Re: Clarification about forced TLS connections with remote mailboxes and smtp

[Eli Zaretskii]

> From: BP25 <bp25@riseup.net>
> Date: Tue, 23 Apr 2024 16:57:19 +0100
> 
> I have a few questions. Is there a kind soul who would clarify a few
> things for me please?

I will try, but in general, all the info is in the Mailutils and Emacs
manuals, ready for you to read on.

> 1. I use Rmail to fetch my messages from remote mailboxes. Do you know
> if using the url starting with pops:// or imaps:// always forces the
> connection to be encrypted via TLS over SSL?

The Mailutils manual says:

  pops
       Remote mailbox accessed using the "Post Office Protocol" (POP3).
       The transmission channel is encrypted using the "transport layer
       security" (TLS).  The default port is 995.

and similarly about imaps.

> 1a. Then what happens when only the Emacs movemail is available? I think
> that no encrypted connection is supported for the POP protocol then.

The version of movemail that comes with Emacs does not support pops
and imaps, so you will get failure to fetch email with some error
message.

> 1b. Suppose we're using instead the Mailutils movemail: does the --tls
> flag only affect connections with URL starting by pop:// or imap://, and
> doesn't affect connections whose URL starts by pops:// or imaps://?

Not clear.  Why is that important?

> 2. I read on the movemail manual ``The deprecated POP3S protocol is also
> supported. It is enabled by an URL beginning with pops:// instead of
> pop://'' but I read on the Emacs manual ``If using Mailutils movemail,
> you may wish to use ‘pops’ in place of ‘pop’.'' therefore I'm confused
> on whether this syntax is obsolete or recommended!

The latest Mailutils manual doesn't say this, and I think it was only
relevant to pop3d, the daemon, so not relevant for you.

> I use Message and I send emails by using smtpmail-send-it. I also set
> variables smtpmail-smtp-service 465 and smtpmail-stream-type 'ssl.
> 
> 3a. Does setting either one of these last two varibales already force
> the connection to happen via TLS over SSL?

smtpmail is about _sending_ email, not about _receiving_ it.  So you
are now asking about a different functionality altogether.

The Emacs user manual says:

  The value of ‘send-mail-function’ should be one of the following functions:
  [...]
  ‘smtpmail-send-it’
       Send mail through an external mail host, such as your Internet
       service provider's outgoing SMTP mail server.  If you have not told
       Emacs how to contact the SMTP server, it prompts for this
       information, which is saved in the ‘smtpmail-smtp-server’ variable
       and the file ‘~/.authinfo’.  *Note Emacs SMTP Library:
       (smtpmail)Top.

IOW, the preferred way of using smtpmail is by having the ~/.authinfo
file.  If you have ~/.authinfo, smtpmail-stream-type should be nil.
Whether the connection is encrypted depends on the SMTP server;
usually using a certain port which is documented to accept encrypted
connections will make your connection encrypted.

> 3b. If neither of the two variables is set but the SMTP server I use
> says that:
> 
> --8<---------------cut here---------------start------------->8---
>  ``If your mail client does not support secure SMTP, you cannot use our
> server as your SMTP. You might have the option of choosing either TLS or
> SSL for the secure connection. Both protocols work, but most ISPs will
> block port 25 (used by TLS), so we recommend that you choose SSL'' and
> later adds that ``For security reasons, we no longer support SSL.''
> --8<---------------cut here---------------end--------------->8---
> 
> then does it mean that I cannot have accidentally exposed my login
> details or other information by initiating a nonencrypted connection?

I don't think the above citation says anything about disclosing your
login details.  It's a general statement that warns you about using
insecure SMTP.

> 3c. Do you agree that the quoted information from my SMTP server above
> is confusing?

Maybe (you only show a small part of it), but in any case, that server
is not part of Emacs, is it?