Tag: STARTTLS

Send email secure (or not)

Send email secure (or not)

Email is send with the Simple Mail Transfer Protocol ( SMTP ). It was invented back in the day (1982) when the Internet was run by people with the best intentions and de security was not needed or perceived not necessary. When you are sending an email the text, headers, email addresses, etc. are send over the Internet in plain-text (human readable). See http://www.freesoft.org/CIE/RFC/821/31.htm for an example.

Anyone that has access to the data stream (free WiFi is not your friend) can in theory read your emails. Not a save way of using email. What we need is a solution that will hide your emails from prying eyes. Cryptography to the rescue!

Most modern email providers like Gmail support Transport Layers (TLS). TLS encrypts all the network traffic making it unintelligible. TLS email is called STARTLS and is negotiated between de mail client and mail server. Normally a user cannot choose to use STARTTLS. It the mail server (administrator) to decide how to handle the SMTP traffic. Because of the move of the Internet to encrypt everything it will be a matter of time of STARTTLS will be the normal way of sending email.

To check if an email server supports TLS (STARTTLS) you can use the TLS check script tlschk (script below) Linux script.

# tslchk -d schiphol.nl
TLS check for SMTP server for domain schiphol.nl, hang on this could take a while....
schiphol-nl.mail.protection.outlook.com. version is TLSv1.2
email4.schiphol.nl. version is not available or TLS not supported
email5.schiphol.nl. version is not available or TLS not supported
domain schiphol.nl ready.

When an TLSVx.x answer is returned STARTTLS (TLS) is supported.

#!/bin/bash
# nslookup & openssl must be installed!
OPTIND=1 # Reset in case getopts has been used previously in the shell.
DOMAINNAME=""
PRGNAME=${0##*/}

function showHelp {
	echo $PRGNAME" -d <mail domain>"
	echo "Example: "$PRGNAME" -d gmail.com "
}

while getopts "h?d:" opt; do
    case "$opt" in
    h|\?)
        showHelp
        exit 0
        ;;
    d)
	DOMAINNAME=$OPTARG
        ;;
    esac
done

shift $((OPTIND-1))

[ "$1" = "--" ] && shift

if [ -z "${DOMAINNAME}" ]; then
	showHelp
	exit
fi

# tell what domain that will be checked
echo "TLS check for SMTP server for domain "$DOMAINNAME", hang on this could take a while...."
# find MX record, used first one that we find.
MXLIST=$(nslookup -query=mx $DOMAINNAME | grep $DOMAINNAME |cut -d ' ' -f5)

for mxrec in $MXLIST
do
	#echo "checking MX record "$mxrec
	OUTPUT=$(echo "Q"|openssl s_client  -starttls smtp  -crlf -connect $mxrec:25 2>/dev/null | tr -d ' '| grep Protocol: | cut -d ':' -f2)
	if [ -z "${OUTPUT}" ]; then
		echo $mxrec" version is not available or TLS not supported"
	else
		echo $mxrec" version is "$OUTPUT
	fi
done
echo "domain "$DOMAINNAME" ready."

Download