TLS smpt encryption

TLS smpt encryption

[Phillip Lord]

I've been having problems getting tls working with SMTP. I think that
there are failings into both the code base and the documentation for
the code base that are making this problem much harder. 



First, the defaults. To use TLS, you have to reconfigure things like
the ports manually, and have to do so in multiple places. So, for
example, from the smtpmail documentation.....


;;(setq send-mail-function 'smtpmail-send-it) ; if you use `mail'
;;(setq message-send-mail-function 'smtpmail-send-it) ; if you use message/Gnus
;;(setq smtpmail-default-smtp-server "YOUR SMTP HOST")
;;(setq smtpmail-local-domain "YOUR DOMAIN NAME")
;;(setq smtpmail-sendto-domain "YOUR DOMAIN NAME")
;;(setq smtpmail-debug-info t) ; only to debug problems
;;(setq smtpmail-auth-credentials  ; or use ~/.authinfo
;;      '(("YOUR SMTP HOST" 25 "username" "password")))
;;(setq smtpmail-starttls-credentials
;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key" "~/.my_smtp_tls.cert")))




Now authentication mail often uses a different port. So you have to
change this. But this is done in smtpmail-smtp-service. The 25's in
auth-credentials are only used to determine which credentials should
be used. Confusing. I don't know what the standards are, but most mail
readers you just click "SSL/TLS encryption" and the ports get set, or
guessed, automatically. 


Second, the documentation. Take...

;;(setq smtpmail-starttls-credentials
;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key" "~/.my_smtp_tls.cert")))


So, whats .my_smtp_tls.key then? Where does it come from? How do I get
it? Can I use gnutls to generate it? I have no idea at all. Further
investigation suggests that actually you can leave this blank, and it
should still work. 

Third, it would be nice if the documentation made clear that "TLS"
appears to be the same thing as "SSL" -- at least in the context of
SMTP servers. I was under the impression for a number of months that I
could not use encryption for SMTP as our local server requires SSL,
which smtpmail doesn't do. Actually, it uses TLS. Some documentation
saying "if you are required to use SSL, this is probably what you
want". 

Finally, it doesn't seem to work on windows. I spent three hours with
a debugger a couple of days ago -- I figured this was the only way to
see if I had the configuration right. It appears that starttls.el uses
Unix specific process handling, so won't work with NTEmacs. I've been
told that you can get this working with cygwin by calling out to
kill.exe which works around the problem. Bit ugly! I realise that
fixing this properly may take some time, but updating the
documentation would be relatively quick!

At the moment, I have access to a non TLS based stream, but this isn't
going to last for ever. I suspect that many people are in the same
boat. 

Thanks for your time!

Phil

Re: TLS smpt encryption

[Simon Josefsson]

Phillip Lord <phillip.lord@newcastle.ac.uk> writes:

> I've been having problems getting tls working with SMTP. I think that
> there are failings into both the code base and the documentation for
> the code base that are making this problem much harder. 
>
>
>
> First, the defaults. To use TLS, you have to reconfigure things like
> the ports manually, and have to do so in multiple places.

The supported way to use TLS is NOT to use another port.

The recommended practice since 1999, and probably before that, when
RFC 2487 came out, is to use port 25 and use STARTTLS on that port.

Emacs does not support 'ssmtp' aka 'smtps' on port 465.  From what I
can recall, nobody has ever asked for that feature either, so this
doesn't seem widely deployed.

> So, for example, from the smtpmail documentation.....
>
>
> ;;(setq send-mail-function 'smtpmail-send-it) ; if you use `mail'
> ;;(setq message-send-mail-function 'smtpmail-send-it) ; if you use message/Gnus
> ;;(setq smtpmail-default-smtp-server "YOUR SMTP HOST")
> ;;(setq smtpmail-local-domain "YOUR DOMAIN NAME")
> ;;(setq smtpmail-sendto-domain "YOUR DOMAIN NAME")
> ;;(setq smtpmail-debug-info t) ; only to debug problems
> ;;(setq smtpmail-auth-credentials  ; or use ~/.authinfo
> ;;      '(("YOUR SMTP HOST" 25 "username" "password")))
> ;;(setq smtpmail-starttls-credentials
> ;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key" "~/.my_smtp_tls.cert")))
>
>
>
>
> Now authentication mail often uses a different port.

Typically, no.

> So you have to change this. But this is done in
> smtpmail-smtp-service. The 25's in auth-credentials are only used to
> determine which credentials should be used.

Right, and you could have multiple credentials, for different ports.

> Confusing. I don't know what the standards are, but most mail
> readers you just click "SSL/TLS encryption" and the ports get set,
> or guessed, automatically.

Again, most programs use the same port.

> Second, the documentation. Take...
>
> ;;(setq smtpmail-starttls-credentials
> ;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key" "~/.my_smtp_tls.cert")))
>
>
> So, whats .my_smtp_tls.key then? Where does it come from? How do I get
> it? Can I use gnutls to generate it? I have no idea at all. Further
> investigation suggests that actually you can leave this blank, and it
> should still work. 

Did you read the Emacs SMTP Manual?  An old copy is available from:

http://josefsson.org/smtpmail.html

But it is also part of Emacs.

If you don't have a X.509 certificate/key pair, you can leave those
fields empty.  You can generate them using GnuTLS, but you need the
server admin to recognize your certificate as well.  Typically you
don't need client authentication using TLS.

The documentation for the variable seem sub-optimal here, so I have
installed this change:

--- smtpmail.el	15 Feb 2006 10:22:36 +0100	1.84
+++ smtpmail.el	06 Sep 2006 11:07:47 +0200	
@@ -176,7 +176,12 @@
 (defcustom smtpmail-starttls-credentials '(("" 25 "" ""))
   "Specify STARTTLS keys and certificates for servers.
 This is a list of four-element list with `servername' (a string),
-`port' (an integer), `key' (a filename) and `certificate' (a filename)."
+`port' (an integer), `key' (a filename) and `certificate' (a
+filename).
+If you do not have a certificate/key pair, leave the `key' and
+`certificate' fields as `nil'.  A key/certificate pair is only
+needed if you want to use X.509 client authenticated
+connections."
   :type '(repeat (list (string  :tag "Server")
 		       (integer :tag "Port")
 		       (file    :tag "Key")

> Third, it would be nice if the documentation made clear that "TLS"
> appears to be the same thing as "SSL" -- at least in the context of
> SMTP servers. I was under the impression for a number of months that I
> could not use encryption for SMTP as our local server requires SSL,
> which smtpmail doesn't do. Actually, it uses TLS. Some documentation
> saying "if you are required to use SSL, this is probably what you
> want". 

SSL is an earlier version of TLS, but they are compatible.  SMTP uses
TLS, but people often incorrect call it SSL.  I modified the Emacs
SMTP Manual to mention SSL:

Index: smtpmail.texi
===================================================================
RCS file: /sources/emacs/emacs/man/smtpmail.texi,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -p -r1.13 -r1.14
--- smtpmail.texi	5 Feb 2006 22:41:31 -0000	1.13
+++ smtpmail.texi	6 Sep 2006 09:10:43 -0000	1.14
@@ -209,6 +209,8 @@ The following example illustrates what y
 @cindex CRAM-MD5
 @cindex LOGIN
 @cindex STARTTLS
+@cindex TLS
+@cindex SSL
 Many environments require SMTP clients to authenticate themselves
 before they are allowed to route mail via a server.  The two following
 variables contains the authentication information needed for this.
@@ -220,10 +222,10 @@ that order if the server support both.
 The second variable, @code{smtpmail-starttls-credentials}, instructs
 the SMTP library to connect to the server using STARTTLS.  This means
 the protocol exchange may be integrity protected and confidential by
-using TLS, and optionally also authentication of the client.  This
-feature uses the elisp package @file{starttls.el} (see it for more
-information on customization), which in turn require that at least one
-of the following external tools are installed:
+using TLS, also known as SSL, and optionally also authentication of
+the client.  This feature uses the elisp package @file{starttls.el}
+(see it for more information on customization), which in turn require
+that at least one of the following external tools are installed:
 
 @enumerate
 @item

> Finally, it doesn't seem to work on windows. I spent three hours with
> a debugger a couple of days ago -- I figured this was the only way to
> see if I had the configuration right. It appears that starttls.el uses
> Unix specific process handling, so won't work with NTEmacs. I've been
> told that you can get this working with cygwin by calling out to
> kill.exe which works around the problem. Bit ugly! I realise that
> fixing this properly may take some time, but updating the
> documentation would be relatively quick!

I've seen it suggested that people have had success on Windows using
the starttls binary instead of gnutls-cli.  But I don't really know
what works under Windows, so I don't know how to improve things here.

> At the moment, I have access to a non TLS based stream, but this isn't
> going to last for ever. I suspect that many people are in the same
> boat.

Right.  Many people have migrated to SMTP over TLS already.

/Simon

Re: TLS smpt encryption

[Phillip Lord]

>>>>> "SJ" == Simon Josefsson <jas@extundo.com> writes:


  >> First, the defaults. To use TLS, you have to reconfigure things
  >> like the ports manually, and have to do so in multiple places.

  SJ> The supported way to use TLS is NOT to use another port.

  SJ> The recommended practice since 1999, and probably before that,
  SJ> when RFC 2487 came out, is to use port 25 and use STARTTLS on
  SJ> that port.

I am sure that you are correct about the RFC's. Maybe, you are correct
about peoples use of ports as well, I don't know as I have a limited
number of mail servers to try out on. All I can say is that anything
which makes the task of connecting easier, including best guess
hueristics on port numbers. 


  SJ> Typically, no.

  >> So you have to change this. But this is done in
  >> smtpmail-smtp-service. The 25's in auth-credentials are only used
  >> to determine which credentials should be used.

  SJ> Right, and you could have multiple credentials, for different
  SJ> ports.

Of course, I understand that the system as you have it set up offers
more flexibility and that this is a good thing. However, the
duplication of  port numbers in general is confusing. You have said,
after all, that in general people use the same port. 

  >> Confusing. I don't know what the standards are, but most mail
  >> readers you just click "SSL/TLS encryption" and the ports get
  >> set, or guessed, automatically.

  SJ> Again, most programs use the same port.

  >> Second, the documentation. Take...
  >> 
  >> ;;(setq smtpmail-starttls-credentials
  >> ;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key"
  >> ;;      "~/.my_smtp_tls.cert")))
  >> 
  >> 
  >> So, whats .my_smtp_tls.key then? Where does it come from? How do
  >> I get it? Can I use gnutls to generate it? I have no idea at
  >> all. Further investigation suggests that actually you can leave
  >> this blank, and it should still work.

  SJ> Did you read the Emacs SMTP Manual?  An old copy is available
  SJ> from:

  SJ> http://josefsson.org/smtpmail.html

Yes. My comments about the documentation come as a result of reading
it. I would not have commented on had I not done so. From my reading
of this what the certificates used in smtpmail-starttls-credentials
actually are is not described. Hence the confusion. 




  SJ> But it is also part of Emacs.

  SJ> If you don't have a X.509 certificate/key pair, you can leave
  SJ> those fields empty.  You can generate them using GnuTLS, but you
  SJ> need the server admin to recognize your certificate as well.
  SJ> Typically you don't need client authentication using TLS.

  SJ> The documentation for the variable seem sub-optimal here, so I
  SJ> have installed this change:

  SJ> --- smtpmail.el 15 Feb 2006 10:22:36 +0100 1.84
  SJ> +++ smtpmail.el 06 Sep 2006 11:07:47 +0200
  SJ> @@ -176,7 +176,12 @@
  SJ>  (defcustom smtpmail-starttls-credentials '(("" 25 "" ""))
  SJ>    "Specify STARTTLS keys and certificates for servers.
  SJ>  This is a list of four-element list with `servername' (a
  SJ>  string),
  SJ> -`port' (an integer), `key' (a filename) and `certificate' (a
  SJ> filename)."  +`port' (an integer), `key' (a filename) and
  SJ> `certificate' (a +filename).  +If you do not have a
  SJ> certificate/key pair, leave the `key' and +`certificate' fields
  SJ> as `nil'.  A key/certificate pair is only +needed if you want to
  SJ> use X.509 client authenticated +connections."
  SJ>    :type '(repeat (list (string :tag "Server")
  SJ>  		       (integer :tag "Port") (file :tag "Key")


Thank you, this is much clear. 


  >> Third, it would be nice if the documentation made clear that
  >> "TLS" appears to be the same thing as "SSL" -- at least in the
  >> context of SMTP servers. I was under the impression for a number
  >> of months that I could not use encryption for SMTP as our local
  >> server requires SSL, which smtpmail doesn't do. Actually, it uses
  >> TLS. Some documentation saying "if you are required to use SSL,
  >> this is probably what you want".

  SJ> SSL is an earlier version of TLS, but they are compatible.  SMTP
  SJ> uses TLS, but people often incorrect call it SSL.  I modified
  SJ> the Emacs SMTP Manual to mention SSL:

  SJ> Index: smtpmail.texi
  SJ> ===================================================================
  SJ> RCS file: /sources/emacs/emacs/man/smtpmail.texi,v retrieving
  SJ> revision 1.13 retrieving revision 1.14 diff -u -p -r1.13 -r1.14
  SJ> --- smtpmail.texi 5 Feb 2006 22:41:31 -0000 1.13
  SJ> +++ smtpmail.texi 6 Sep 2006 09:10:43 -0000 1.14
  SJ> @@ -209,6 +209,8 @@ The following example illustrates what y
  SJ>  @cindex CRAM-MD5 @cindex LOGIN @cindex STARTTLS
  SJ> +@cindex TLS +@cindex SSL
  SJ>  Many environments require SMTP clients to authenticate
  SJ>  themselves before they are allowed to route mail via a server.
  SJ>  The two following variables contains the authentication
  SJ>  information needed for this.
  SJ> @@ -220,10 +222,10 @@ that order if the server support both.
  SJ>  The second variable, @code{smtpmail-starttls-credentials},
  SJ>  instructs the SMTP library to connect to the server using
  SJ>  STARTTLS.  This means the protocol exchange may be integrity
  SJ>  protected and confidential by
  SJ> -using TLS, and optionally also authentication of the client.
  SJ> This -feature uses the elisp package @file{starttls.el} (see it
  SJ> for more -information on customization), which in turn require
  SJ> that at least one -of the following external tools are
  SJ> installed: +using TLS, also known as SSL, and optionally also
  SJ> authentication of +the client.  This feature uses the elisp
  SJ> package @file{starttls.el} +(see it for more information on
  SJ> customization), which in turn require +that at least one of the
  SJ> following external tools are installed:
 
  SJ>  @enumerate @item



I would modify this a bit -- TLS and SSL are not the same thing as you
suggest. I would say explicitly what you have just described to me. 

This means the protocol exchange may be integrity protected and
confidential by using TLS, and optionally also authentication of the
client.

TLS is a secure, encrypted communication method which is compatible
with SSL. In most cases where the system admins say that "SSL is
required", TLS will work. 




  >> Finally, it doesn't seem to work on windows. I spent three hours
  >> with a debugger a couple of days ago -- I figured this was the
  >> only way to see if I had the configuration right. It appears that
  >> starttls.el uses Unix specific process handling, so won't work
  >> with NTEmacs. I've been told that you can get this working with
  >> cygwin by calling out to kill.exe which works around the
  >> problem. Bit ugly! I realise that fixing this properly may take
  >> some time, but updating the documentation would be relatively
  >> quick!

  SJ> I've seen it suggested that people have had success on Windows
  SJ> using the starttls binary instead of gnutls-cli.  But I don't
  SJ> really know what works under Windows, so I don't know how to
  SJ> improve things here.

The problem is with your process handling. 

(signal-process (process-id process) 'SIGALRM)

wont work. If you are using the cygwin gnutls, then this can be faked
using "kill" directly, but NTEmacs cannot send this signal, at least
to my knowledge.

I might try starttls, but in general, its easier to have as few
extraneous binaries as possible, hence the desire to use

If TLS is compatible with SSL, would it not possible to use the SSL
binaries. As I say, the IMAP code works fine using SSL?



  >> At the moment, I have access to a non TLS based stream, but this
  >> isn't going to last for ever. I suspect that many people are in
  >> the same boat.

  SJ> Right.  Many people have migrated to SMTP over TLS already.


Yep. Once everwhere goes, I can no longer send email with emacs. I
spent 6 months on outlook this year and the experience was, er, less
than optimal, shall I say. 

Phil

Re: TLS smpt encryption

[Simon Josefsson]

Phillip Lord <phillip.lord@newcastle.ac.uk> writes:

>>>>>> "SJ" == Simon Josefsson <jas@extundo.com> writes:
>
>
>   >> First, the defaults. To use TLS, you have to reconfigure things
>   >> like the ports manually, and have to do so in multiple places.
>
>   SJ> The supported way to use TLS is NOT to use another port.
>
>   SJ> The recommended practice since 1999, and probably before that,
>   SJ> when RFC 2487 came out, is to use port 25 and use STARTTLS on
>   SJ> that port.
>
> I am sure that you are correct about the RFC's. Maybe, you are correct
> about peoples use of ports as well, I don't know as I have a limited
> number of mail servers to try out on. All I can say is that anything
> which makes the task of connecting easier, including best guess
> hueristics on port numbers. 

Right.

>   SJ> Typically, no.
>
>   >> So you have to change this. But this is done in
>   >> smtpmail-smtp-service. The 25's in auth-credentials are only used
>   >> to determine which credentials should be used.
>
>   SJ> Right, and you could have multiple credentials, for different
>   SJ> ports.
>
> Of course, I understand that the system as you have it set up offers
> more flexibility and that this is a good thing. However, the
> duplication of  port numbers in general is confusing. You have said,
> after all, that in general people use the same port. 

Yup.

>   >> Confusing. I don't know what the standards are, but most mail
>   >> readers you just click "SSL/TLS encryption" and the ports get
>   >> set, or guessed, automatically.
>
>   SJ> Again, most programs use the same port.
>
>   >> Second, the documentation. Take...
>   >> 
>   >> ;;(setq smtpmail-starttls-credentials
>   >> ;;      '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key"
>   >> ;;      "~/.my_smtp_tls.cert")))
>   >> 
>   >> 
>   >> So, whats .my_smtp_tls.key then? Where does it come from? How do
>   >> I get it? Can I use gnutls to generate it? I have no idea at
>   >> all. Further investigation suggests that actually you can leave
>   >> this blank, and it should still work.
>
>   SJ> Did you read the Emacs SMTP Manual?  An old copy is available
>   SJ> from:
>
>   SJ> http://josefsson.org/smtpmail.html
>
> Yes. My comments about the documentation come as a result of reading
> it. I would not have commented on had I not done so. From my reading
> of this what the certificates used in smtpmail-starttls-credentials
> actually are is not described. Hence the confusion. 

Ok.  A complete discussion of X.509 and certificates (a complex
topic!) is not appropriate, but a shorter explanation may be useful.
Patches welcome...

>   SJ> But it is also part of Emacs.
>
>   SJ> If you don't have a X.509 certificate/key pair, you can leave
>   SJ> those fields empty.  You can generate them using GnuTLS, but you
>   SJ> need the server admin to recognize your certificate as well.
>   SJ> Typically you don't need client authentication using TLS.
>
>   SJ> The documentation for the variable seem sub-optimal here, so I
>   SJ> have installed this change:
>
>   SJ> --- smtpmail.el 15 Feb 2006 10:22:36 +0100 1.84
>   SJ> +++ smtpmail.el 06 Sep 2006 11:07:47 +0200
>   SJ> @@ -176,7 +176,12 @@
>   SJ>  (defcustom smtpmail-starttls-credentials '(("" 25 "" ""))
>   SJ>    "Specify STARTTLS keys and certificates for servers.
>   SJ>  This is a list of four-element list with `servername' (a
>   SJ>  string),
>   SJ> -`port' (an integer), `key' (a filename) and `certificate' (a
>   SJ> filename)."  +`port' (an integer), `key' (a filename) and
>   SJ> `certificate' (a +filename).  +If you do not have a
>   SJ> certificate/key pair, leave the `key' and +`certificate' fields
>   SJ> as `nil'.  A key/certificate pair is only +needed if you want to
>   SJ> use X.509 client authenticated +connections."
>   SJ>    :type '(repeat (list (string :tag "Server")
>   SJ>  		       (integer :tag "Port") (file :tag "Key")
>
>
> Thank you, this is much clear. 

Ok.

>   >> Third, it would be nice if the documentation made clear that
>   >> "TLS" appears to be the same thing as "SSL" -- at least in the
>   >> context of SMTP servers. I was under the impression for a number
>   >> of months that I could not use encryption for SMTP as our local
>   >> server requires SSL, which smtpmail doesn't do. Actually, it uses
>   >> TLS. Some documentation saying "if you are required to use SSL,
>   >> this is probably what you want".
>
>   SJ> SSL is an earlier version of TLS, but they are compatible.  SMTP
>   SJ> uses TLS, but people often incorrect call it SSL.  I modified
>   SJ> the Emacs SMTP Manual to mention SSL:
>
>   SJ> Index: smtpmail.texi
>   SJ> ===================================================================
>   SJ> RCS file: /sources/emacs/emacs/man/smtpmail.texi,v retrieving
>   SJ> revision 1.13 retrieving revision 1.14 diff -u -p -r1.13 -r1.14
>   SJ> --- smtpmail.texi 5 Feb 2006 22:41:31 -0000 1.13
>   SJ> +++ smtpmail.texi 6 Sep 2006 09:10:43 -0000 1.14
>   SJ> @@ -209,6 +209,8 @@ The following example illustrates what y
>   SJ>  @cindex CRAM-MD5 @cindex LOGIN @cindex STARTTLS
>   SJ> +@cindex TLS +@cindex SSL
>   SJ>  Many environments require SMTP clients to authenticate
>   SJ>  themselves before they are allowed to route mail via a server.
>   SJ>  The two following variables contains the authentication
>   SJ>  information needed for this.
>   SJ> @@ -220,10 +222,10 @@ that order if the server support both.
>   SJ>  The second variable, @code{smtpmail-starttls-credentials},
>   SJ>  instructs the SMTP library to connect to the server using
>   SJ>  STARTTLS.  This means the protocol exchange may be integrity
>   SJ>  protected and confidential by
>   SJ> -using TLS, and optionally also authentication of the client.
>   SJ> This -feature uses the elisp package @file{starttls.el} (see it
>   SJ> for more -information on customization), which in turn require
>   SJ> that at least one -of the following external tools are
>   SJ> installed: +using TLS, also known as SSL, and optionally also
>   SJ> authentication of +the client.  This feature uses the elisp
>   SJ> package @file{starttls.el} +(see it for more information on
>   SJ> customization), which in turn require +that at least one of the
>   SJ> following external tools are installed:
>  
>   SJ>  @enumerate @item
>
>
>
> I would modify this a bit -- TLS and SSL are not the same thing as you
> suggest. I would say explicitly what you have just described to me. 
>
> This means the protocol exchange may be integrity protected and
> confidential by using TLS, and optionally also authentication of the
> client.
>
> TLS is a secure, encrypted communication method which is compatible
> with SSL. In most cases where the system admins say that "SSL is
> required", TLS will work. 

I have installed this patch.

--- smtpmail.texi	06 Sep 2006 11:10:02 +0200	1.14
+++ smtpmail.texi	11 Sep 2006 15:53:01 +0200	
@@ -214,6 +214,7 @@
 Many environments require SMTP clients to authenticate themselves
 before they are allowed to route mail via a server.  The two following
 variables contains the authentication information needed for this.
+
 The first variable, @code{smtpmail-auth-credentials}, instructs the
 SMTP library to use a SASL authentication step, currently only the
 CRAM-MD5 and LOGIN mechanisms are supported and will be selected in
@@ -222,10 +223,17 @@
 The second variable, @code{smtpmail-starttls-credentials}, instructs
 the SMTP library to connect to the server using STARTTLS.  This means
 the protocol exchange may be integrity protected and confidential by
-using TLS, also known as SSL, and optionally also authentication of
-the client.  This feature uses the elisp package @file{starttls.el}
-(see it for more information on customization), which in turn require
-that at least one of the following external tools are installed:
+using the Transport Layer Security (TLS) protocol, and optionally also
+authentication of the client and server.
+
+TLS is a security protocol that is also known as SSL, although
+strictly speaking, SSL is an older variant of TLS.  TLS is backwards
+compatible with SSL.  In most mundane situations, the two terms are
+equivalent.
+
+The TLS feature uses the elisp package @file{starttls.el} (see it for
+more information on customization), which in turn require that at
+least one of the following external tools are installed:
 
 @enumerate
 @item

>   >> Finally, it doesn't seem to work on windows. I spent three hours
>   >> with a debugger a couple of days ago -- I figured this was the
>   >> only way to see if I had the configuration right. It appears that
>   >> starttls.el uses Unix specific process handling, so won't work
>   >> with NTEmacs. I've been told that you can get this working with
>   >> cygwin by calling out to kill.exe which works around the
>   >> problem. Bit ugly! I realise that fixing this properly may take
>   >> some time, but updating the documentation would be relatively
>   >> quick!
>
>   SJ> I've seen it suggested that people have had success on Windows
>   SJ> using the starttls binary instead of gnutls-cli.  But I don't
>   SJ> really know what works under Windows, so I don't know how to
>   SJ> improve things here.
>
> The problem is with your process handling. 
>
> (signal-process (process-id process) 'SIGALRM)
>
> wont work.

Why not?  Wouldn't that a bug in NTEmacs?

> If you are using the cygwin gnutls, then this can be faked using
> "kill" directly, but NTEmacs cannot send this signal, at least to my
> knowledge.

If "kill" can do it, then probably NTEmacs could too.  And NTEmacs
probably should do that, especially if `signal-process' doesn't do
anything useful at all under Windows.  However, some NTEmacs person
should answer this.

> I might try starttls, but in general, its easier to have as few
> extraneous binaries as possible, hence the desire to use
>
> If TLS is compatible with SSL, would it not possible to use the SSL
> binaries. As I say, the IMAP code works fine using SSL?

IMAP uses the same library, starttls.el, as SMTP.  So they are already
using the same tools.  Btw, IMAP uses TLS, strictly speaking.

>   >> At the moment, I have access to a non TLS based stream, but this
>   >> isn't going to last for ever. I suspect that many people are in
>   >> the same boat.
>
>   SJ> Right.  Many people have migrated to SMTP over TLS already.
>
>
> Yep. Once everwhere goes, I can no longer send email with emacs. I
> spent 6 months on outlook this year and the experience was, er, less
> than optimal, shall I say. 

Many people have migrated to SMTP over TLS with Emacs too, I remember
writing the first support for this in Emacs around 2000 to 2001
somewhere, and many used it successfully even back then.

/Simon

Re: TLS smpt encryption

[Phillip Lord]

>>>>> "SJ" == Simon Josefsson <jas@extundo.com> writes:


  SJ> I've seen it suggested that people have had success on Windows
  SJ> using the starttls binary instead of gnutls-cli.  But I don't
  SJ> really know what works under Windows, so I don't know how to
  SJ> improve things here.
  >> 
  >> The problem is with your process handling.
  >> 
  >> (signal-process (process-id process) 'SIGALRM)
  >> 
  >> wont work.

  SJ> Why not?  Wouldn't that a bug in NTEmacs?

  >> If you are using the cygwin gnutls, then this can be faked using
  >> "kill" directly, but NTEmacs cannot send this signal, at least to
  >> my knowledge.

  SJ> If "kill" can do it, then probably NTEmacs could too.  And
  SJ> NTEmacs probably should do that, especially if `signal-process'
  SJ> doesn't do anything useful at all under Windows.  However, some
  SJ> NTEmacs person should answer this.


No. "kill" in question is cygwin kill, which NTEmacs doesn't know
about. NTEmacs is a windows process, so only knows how to send windows
process signals. As far as I know, windows doesn't do SIGALRM -- I
could be wrong. I try not to get this close to the OS where ever
possible. 



  >> I might try starttls, but in general, its easier to have as few
  >> extraneous binaries as possible, hence the desire to use
  >> 
  >> If TLS is compatible with SSL, would it not possible to use the
  >> SSL binaries. As I say, the IMAP code works fine using SSL?

  SJ> IMAP uses the same library, starttls.el, as SMTP.  So they are
  SJ> already using the same tools.  Btw, IMAP uses TLS, strictly
  SJ> speaking.


No, I don't think you are right. From the Gnus/imap documentation. 

        * "tls:" Connect through TLS.  Requires GNUTLS (the program
          `gnutls-cli').

        * "ssl:" Connect through SSL.  Requires OpenSSL (the program
          `openssl') or SSLeay (`s_client').


So, I am using OpenSSL not tls, nor gnutls-cli to communicate with my
IMAP server. The communication layer works fine here. Certainly, my
imap connections worked fine without gnutls-cli being installed. 




  >> Yep. Once everwhere goes, I can no longer send email with
  >> emacs. I spent 6 months on outlook this year and the experience
  >> was, er, less than optimal, shall I say.

  SJ> Many people have migrated to SMTP over TLS with Emacs too, I
  SJ> remember writing the first support for this in Emacs around 2000
  SJ> to 2001 somewhere, and many used it successfully even back then.


Under windows?

Phil