TLS & STARTTLS support about hydroxide HOT 14 CLOSED

Depends if you control completely the server, e.g. if it's in your home on your hardware.

from hydroxide.

No, a plain TLS proxy should work as well. Just need to configure your email clients to use TLS instead of STARTTLS.

from hydroxide.

wouldn't this completely kill the privacy and security benefits from using a service like Protonmail?

from hydroxide.

I would like to have a bridge that I can access over a VPN connection. So I can use a different mail client on my iPhone and iPad rather than the protonmail app.

So far I get SMTP to work but not IMAP.

Neither with Hydroxide or the original bridge.

I tried doing a reverse SSH tunnel mapping the port to the VPN server that way... for SMTP this works but IMAP does not.

from hydroxide.

+1 on this

from hydroxide.

Besides the TLS/StartTLS, I thought deploying it on a server to be remotely accessed was already a possibility.

from hydroxide.

Yes, this already works. But right now you'll need to setup a proxy to wrap connections with TLS if you want to access the server remotely.

from hydroxide.

Oh, thanks! This would be why I'm having issues connecting remotely.

from hydroxide.

Re the reverse proxy offload of TLS - I think it can only be one that supports STARTTLS or has some kind of advanced features. I've been digging around trying to get Traefik to work and it seems only Nginx is capable of reverse proxy for IMAP and SMTP.

from hydroxide.

How does one use such a plain TLS proxy? I'm looking to route a sourcehut smtp through hydroxide, but sourcehut expects a STARTTLS response. Running on the same server so nothing fancy.

from hydroxide.

How does one use such a plain TLS proxy? I'm looking to route a sourcehut smtp through hydroxide, but sourcehut expects a STARTTLS response. Running on the same server so nothing fancy.

If they're on the same server and you're confident it's secure then you don't need TLS. TLS on the same host is only to protect from other applications snooping on your messages. If it's not routing through the open web it's not exposed. Are you saying sourcehut doesn't support plain SMTP (no TLS)? If that's the case then you'll need a STARTTLS-capable reverse proxy.

from hydroxide.

smtplib.SMTPNotSupportedError: STARTTLS extension not supported by server.
It uses smtplib of python and part of the initial connection to the smtp mail server is smtp.starttls() https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/srht/email.py#L118

from hydroxide.

Looks like you are going to need a reverse proxy running TCP TLS termination. These look pretty on point

• https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/
• https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/

from hydroxide.

Thanks! I'll check them out.

from hydroxide.