Avoid SSL errors caused by confusion between SSL, TLS and STARTTLS

ISPs often publish their SSL settings like in this example:
Outgoing mail server (SMTP)
SMTP.1und1.de
Port for SSL 465
Port for TLS 587

From the above, it looks like SSL and TLS operate on different ports. But this is WRONG.

Consider TLS just as a newer version of SSL. It operates on the same ports, gets activated with the same SMTP and IMAP commands and so on. In MailBee.NET, you only deal with explicit SSL/TLS setting when you set SslProtocol property of a mail server settings class (like SmtpServer, Imap or Pop3). The default value of this property is SecurityProtocol.Auto which means MailBee.NET will use the most secure protocol supported by the mail server (usually, TLS).

Sometimes, the server does not support auto-selection of the best available protocol and thus you will need to manually set it to SecurityProtocol.Tls1. Nowadays, there is virtually no case when you should set SecurityProtocol.Ssl2 or SecurityProtocol.Ssl3 – these protocols now considered vulnerable.

In many cases, if you do something like this, you’ll get an error as SSL3 protocol is disabled on the server:

Smtp mailer = new Smtp();
SmtpServer server = new SmtpServer("mail.server.com");
server.Port = 465;
server.SslProtocol = SecurityProtocol.Ssl3; // SSL
mailer.SmtpServers.Add(server);

The correct one would be:

Smtp mailer = new Smtp();
SmtpServer server = new SmtpServer("mail.server.com");
server.Port = 465;
server.SslProtocol = SecurityProtocol.Tls1; // TLS
mailer.SmtpServers.Add(server);

So what about TLS port 587? Actually, this means STARTTLS port, not TLS port. STARTTLS is not a protocol, it’s an IMAP/SMTP command which is used to convert an existing regular port connection into secure one. This command, however, does not enforce TLS protocol for secure connection. It will make it SSL2, SSL3, TLS1 or Auto accordingly SslProtocol property value (just the same way when you connect to a dedicated SSL port like 465 for SMTP or 993 for IMAP).

In particular case of SMTP port 587, this port is a normal SMTP port (non-secure), where the one can issue a STARTTLS command to make the connection secure. With many ISPs, the same can be done on port 25, either.

It would be better if SMTP and IMAP protocol creators named this command STARTSECURE or something like that, with no SSL or TLS in its name.

Avoid SSL errors caused by confusion between SSL, TLS and STARTTLS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s