Does Verizon's SMTP actually use TLS?
bilditup1
Enthusiast - Level 2

I've been led to believe that Verizon's SMTP service at smtp:verizon.net:465 only uses SSL, based on the configuration instructions here for Outlook, as well as my own experience when trying to specify TLS over port 465. However, when I tried connecting to the SMTP server via stunnel, it reports that it established a TLSv1.1 connection:

2015.06.28 01:00:04 LOG7[7362]: SSL state (connect): SSLv3 read finished A
2015.06.28 01:00:04 LOG7[7362]:    2 items in the session cache
2015.06.28 01:00:04 LOG7[7362]:    2 client connects (SSL_connect())
2015.06.28 01:00:04 LOG7[7362]:    2 client connects that finished
2015.06.28 01:00:04 LOG7[7362]:    0 client renegotiations requested
2015.06.28 01:00:04 LOG7[7362]:    0 server connects (SSL_accept())
2015.06.28 01:00:04 LOG7[7362]:    0 server connects that finished
2015.06.28 01:00:04 LOG7[7362]:    0 server renegotiations requested
2015.06.28 01:00:04 LOG7[7362]:    0 session cache hits
2015.06.28 01:00:04 LOG7[7362]:    0 external session cache hits
2015.06.28 01:00:04 LOG7[7362]:    0 session cache misses
2015.06.28 01:00:04 LOG7[7362]:    0 session cache timeouts
2015.06.28 01:00:04 LOG6[7362]: SSL connected: new session negotiated
2015.06.28 01:00:04 LOG6[7362]: Negotiated TLSv1.1 ciphersuite DHE-RSA-AES256-SHA (256-bit encryption)

Is this a quirk in stunnel, or does Verizon actually use TLSv1.1 exclusively? If so then why does specifying TLS in Outlook directly result in a failure to connect? Given that SSLv3 is insecure, I think it's important to get TLS working for everybody. In the meantime, some clarity on all this would be nice.

0 Likes
Reply
1 Solution
tns2
Community Leader
Community Leader

I don't know if they still allow SSL v3 or not.  But like many the probably negotiate for various levels of security to find what your system accepts. Usually using the most secure that they also accept. Looks like at least tls 1.1 is accepted.

View solution in original post

0 Likes
Reply
2 Replies
tns2
Community Leader
Community Leader

I don't know if they still allow SSL v3 or not.  But like many the probably negotiate for various levels of security to find what your system accepts. Usually using the most secure that they also accept. Looks like at least tls 1.1 is accepted.

0 Likes
Reply
bilditup1
Enthusiast - Level 2

Aha, so then I suppose it's a client issue with Outlook. Truth be told putting Verizon's outgoing servers into Postfix also does not directly work, because it assumes port 465 is SSL without even checking, and doesn't support SSLv3 for relays. So I guess what we're seeing is just quirky design decisions then. Thanks for clarifying.

0 Likes
Reply