PMDF-TLS implements the Transport Layer Security (TLS) protocol of RFC- 2246 for PMDF’s servers and clients. Transport Layer Security is currently supported for:
PMDF-TLS provides a secure data stream between the client and the server ensuring the data that is exchanged between your system and a remote system using TLS will be protected from others on the network. PMDF-TLS is compatible with SSL (Secure Socket Layer) and PMDF-TLS is fully compatible with SSL-enabled clients.
Since the encryption is negotiated between the SMTP client and server at each session, no prior agreements need to be entered in order for an SMTP session to be secured cryptographically. PMDF-TLS-enhanced SMTP servers can “discover” other SMTP servers supporting TLS and automatically create secure message paths. This implements an MTA-to-MTA level security environment that ensures the message path between end point messaging servers is secured from attack even if the message path is subject to a potentially hostile environment.
You can configure PMDF to require that clients use encrypted connections to the servers. This requirement can be restricted to the external network, if desired. You can allow external users to connect to internal messaging servers and maintain overall system security. This allows you to use the services of an Internet Service Provider for dial-in connections to messaging servers.
There are two modes of operation that PMDF-TLS supports:
STARTTLScommand to begin TLS negotiation.
The only difference between these two modes is when the TLS negotiation happens. In both cases, once the TLS negotiation is complete, all subsequent data sent across the TCP connection will be secure. Connecting to a special port number is the more commonly used way to connect to a TLS-enabled server. SMTP, IMAP, HTTP, and POP3 all have established ports for use with TLS (port numbers 465, 993, 443, and 995, respectively). When a client connects to one of these special ports (as configured in the Dispatcher configuration file), PMDF-TLS begins TLS negotiations immediately.
Once the negotiation is complete, the connection will be given to the service as usual.
In the case that a
STARTTLS command is used, the TCP connection is established on the usual port number (or an alternate port number if configured in the Dispatcher) and given to the service in the usual way. If TLS is available to the client, the server advertises
STARTTLS as one of its available extensions. The client then issues the
STARTTLS command, the server acknowledges receipt of the command and instructs the client to begin TLS negotiation. Again, once the negotiation is complete, the connection continues normally.
In addition to the added support for the SMTP, POP, HTTP, IMAP, and LDAP use of TLS services, PMDF-TLS comes with a set of utilities that support PMDF secure messaging services:
tls_certreq- is used to generate a public key pair and a certificate request.
tls_certdump- decodes the binary files that contain certificates used by PMDF.
tls_ciphers- lists the ciphers avail-able for use with PMDF-TLS.
|The TLS Protocol Version 1.0||2246|
|SMTP Service Extension for Secure SMTP over TLS||2487|
|Internet X.509 Public Key Infrastructure||2459|
|Using TLS with IMAP, POP3, and ACAP||2595|
PMDF-TLS supports all modern encryption algorithms, with a key strength up to 1024 bits.
PMDF-TLS supports any valid OpenVMS or Linux configuration.
One of the following operating system environments is required: