* Insecure Mail Sending Warning
@ 2020-10-23 0:35 Robert Thorpe
2020-10-23 16:09 ` Robert Pluim
0 siblings, 1 reply; 4+ messages in thread
From: Robert Thorpe @ 2020-10-23 0:35 UTC (permalink / raw)
To: help-gnu-emacs
When I send mail I get a warning about security.
> The TLS connection to <mailserver> is insecure for the following reason:
>
> * TLS1.0 protocol is deprecated by standard bodies.
Where <mailserver> is the URL of my mailserver.
Can I fix this or is the problem on my mail provider's side?
I'm using port 587, which I thought was correct.
My init file doesn't have much in it for sending mail:
(setq send-mail-function 'smtpmail-send-it)
(setq smtpmail-smtp-server "<mailserver>")
(setq user-mail-address "rt@robertthorpeconsulting.com")
(setq smtpmail-smtp-service 587)
BR,
Robert Thorpe
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Insecure Mail Sending Warning
2020-10-23 0:35 Insecure Mail Sending Warning Robert Thorpe
@ 2020-10-23 16:09 ` Robert Pluim
2020-10-24 1:48 ` Robert Thorpe
0 siblings, 1 reply; 4+ messages in thread
From: Robert Pluim @ 2020-10-23 16:09 UTC (permalink / raw)
To: Robert Thorpe; +Cc: help-gnu-emacs
>>>>> On Fri, 23 Oct 2020 01:35:35 +0100, Robert Thorpe <rt@robertthorpeconsulting.com> said:
Robert> When I send mail I get a warning about security.
>> The TLS connection to <mailserver> is insecure for the following reason:
>>
>> * TLS1.0 protocol is deprecated by standard bodies.
Robert> Where <mailserver> is the URL of my mailserver.
Robert> Can I fix this or is the problem on my mail provider's side?
The problem is on the mail provider's side, I think.
Iʼm kind of surprised that a real mail provider still enables
TLS1.0. You can test what it supports using
gnutls-cli -p 587 <mailserver>
Robert> I'm using port 587, which I thought was correct.
587 is the mail submission port. It normally starts out in cleartext,
and is then upgraded to TLS with a STARTTLS command. Iʼd recommend
465, which is TLS-only (although you'd have to set
smtpmail-stream-type to 'tls)
You'd still get the warning, but at least the entire connection would
be encrypted (not that that means much when using TLS1.0)
Robert
--
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Insecure Mail Sending Warning
2020-10-23 16:09 ` Robert Pluim
@ 2020-10-24 1:48 ` Robert Thorpe
2020-10-24 9:56 ` Robert Pluim
0 siblings, 1 reply; 4+ messages in thread
From: Robert Thorpe @ 2020-10-24 1:48 UTC (permalink / raw)
To: Robert Pluim; +Cc: help-gnu-emacs
> Robert> Where <mailserver> is the URL of my mailserver.
>
> Robert> Can I fix this or is the problem on my mail provider's side?
>
> The problem is on the mail provider's side, I think.
Thank you. I'll contact my provider and ask them about it.
> Iʼm kind of surprised that a real mail provider still enables
> TLS1.0. You can test what it supports using
>
> gnutls-cli -p 587 <mailserver>
That command doesn't seem to give useful output. It says:
> Processed 148 CA certificate(s).
> Resolving '<mailserver>:587'...
> Connecting to '81.17.254.9:587'...
> |<1>| Received record packet of unknown type 50
> *** Fatal error: An unexpected TLS packet was received.
Anyway, I'll talk to them about it.
> Robert> I'm using port 587, which I thought was correct.
>
> 587 is the mail submission port. It normally starts out in cleartext,
> and is then upgraded to TLS with a STARTTLS command. Iʼd recommend
> 465, which is TLS-only (although you'd have to set
> smtpmail-stream-type to 'tls)
>
> You'd still get the warning, but at least the entire connection would
> be encrypted (not that that means much when using TLS1.0)
It seems that port 465 doesn't work. The gnutls-cli command timed out
on it.
Thank you again,
Robert Thorpe
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Insecure Mail Sending Warning
2020-10-24 1:48 ` Robert Thorpe
@ 2020-10-24 9:56 ` Robert Pluim
0 siblings, 0 replies; 4+ messages in thread
From: Robert Pluim @ 2020-10-24 9:56 UTC (permalink / raw)
To: Robert Thorpe; +Cc: help-gnu-emacs
>>>>> On Sat, 24 Oct 2020 02:48:09 +0100, Robert Thorpe <rt@robertthorpeconsulting.com> said:
Robert> Where <mailserver> is the URL of my mailserver.
>>
Robert> Can I fix this or is the problem on my mail provider's side?
>>
>> The problem is on the mail provider's side, I think.
Robert> Thank you. I'll contact my provider and ask them about it.
>> Iʼm kind of surprised that a real mail provider still enables
>> TLS1.0. You can test what it supports using
>>
>> gnutls-cli -p 587 <mailserver>
Robert> That command doesn't seem to give useful output. It says:
>> Processed 148 CA certificate(s).
>> Resolving '<mailserver>:587'...
>> Connecting to '81.17.254.9:587'...
>> |<1>| Received record packet of unknown type 50
>> *** Fatal error: An unexpected TLS packet was received.
Sorry, thinko on my part. Try
gnutls-cli -starttls-proto=smtp -p 587 <mailserver>
This will connect using TCP and then try to upgrade to TLS with a
STARTTLS command.
I just tried it to your mailserver and it matches the warning from
Emacs:
- Status: The certificate is trusted.
- Description: (TLS1.0-X.509)-(RSA)-(AES-256-CBC)-(SHA1)
Robert
--
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-24 9:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-23 0:35 Insecure Mail Sending Warning Robert Thorpe
2020-10-23 16:09 ` Robert Pluim
2020-10-24 1:48 ` Robert Thorpe
2020-10-24 9:56 ` Robert Pluim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).