From: markus schnalke <meillo@marmaro.de>
  To  : <masqmail@marmaro.de>
  Date: Wed, 14 Jul 2010 00:53:47 +0200

To understand the openssl wrapper stuff

Hoi,

I'm currently digging into encryption for outgoing connections. Here,
I want to share some knowledge that I gained from my research.

There are two main approaches to encrypt SMTP:

1) The old one: SSL-encrypted connections to port 465. This was called
   SSMTP and SMTPS and is now deprecated.

2) The new one: STARTTLS (RFC-3207). Unencrypted connections to port
   25 that begin to be encrypted on issuing the SMTP command STARTTLS.
   (This approach can also be used on the SMTP submission port 587.)

Currently, masqmail only supports the first approach by defining an
openssl wrapper in the route file. Like:

    wrapper = "/usr/bin/openssl s_client -quiet -crlf
               -connect mail.gmx.net:465 2>/dev/null"

This is known to work.

(btw: -quiet disables openssl's special handling of lines matching
/^[RQ]/ .)

The second approach could be supported with such a wrapper:

    wrapper = "/usr/bin/openssl s_client -quiet -crlf -starttls smtp
               -connect mail.gmx.net:25 2>/dev/null"

Unfortunately, this doesn't work yet. The problem is that openssl eats
the 220 greeting. Masqmail does get an open connection, but it does
not get informed that it is open now.

If masqmail would just say EHLO, the everything is fine.

Solutions could to be:
- always just say EHLO, when a wrapper is used. (No matter if there is
  a greeting.)
- add a config option to not wait for a greeting and just say EHLO.


I plan to work on this in the next days.


Further info to understand the topic:
http://www.madboa.com/geek/openssl/#cs-smtp
http://sial.org/howto/openssl/tls-name/


@phil:
mail.uni-ulm.de does not listen on port 465, hence masqmail cannot
provide encrypted connections to it, currently. For the other host,
you need to ensure to have the openssl parameter `-quiet' specified. I
think this misses. Then take approach number one.


meillo