4 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Courier + TLS/SSL...
FromSent OnAttachments
Plamen PetrovNov 20, 2007 10:49 pm 
Sam VarshavchikNov 21, 2007 3:58 am 
Plamen PetrovNov 21, 2007 4:02 am 
Sam VarshavchikNov 21, 2007 3:22 pm 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [courier-users] Courier + TLS/SSL questionActions...
From:Sam Varshavchik (mrs@courier-mta.com)
Date:Nov 21, 2007 3:22:54 pm
List:net.sourceforge.lists.courier-users

Plamen Petrov writes:

Sam Varshavchik wrote:

Plamen Petrov writes:

Hi, MrSam!

I'm trying to switch Courier's plain communication with their TLS/SSL equivalents... Now, as I understand it, TLS is the best among them; next is SSL3, and last - SSL2. From what I've read, I understand there is some provisions for the newer protocols to fall back to the older ones. I understand it is not Courier's fault when I have errors like courieresmtpd: courieresmtpd: STARTTLS failed: couriertls: accept: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number in the logs, but... What is the proper way to do things, concerning Courier and TLS/SSL? Is there a way to configure the fallback so instead of the above error in the log, Courier would try TLS -> SSL3 -> SSL2 ?

This is a limitation in OpenSSL. OpenSSL supports SSL3 with a fallback to SSL2, or TLS1. There is no facility in OpenSSL to have TLS with a fallback to SSL3.

GnuTLS is more flexible, however GnuTLS does not implement SSL2 as it's considered an obsolete protocol. GnuTLS implements TLS 1.1, TLS 1.0 and SSL3 only, and you can have a full fallback capability between them.

Thanks! Another quick question then: is it possible for one to have both OpenSSL and GnuTLS side-by-side, and tell Courier to use GnuTLS ?

GnuTLS support in Courier is relatively new and is only in the development build now. You must decide at compile time whether to use OpenSSL, or GnuTLS.