STARTTLS(8) System Manager's Manual STARTTLS(8)

starttlsESMTP over TLS/SSL

STARTTLS is an ESMTP option, defined in RFC 3207, which is used to conduct ESMTP transactions over TLS circuits. This is used to increase the security of mail server transactions.

STARTTLS allows for the combination of several security solutions for MTA (mail transport agent) level services through the TLS suite. These security features include:

Confidentiality
Encryption is used to protect data from passive monitoring.
Integrity
Hash algorithms are used to ensure the integrity of the transmitted data. This protects data from modification in transit.
Authentication
The use of public key encryption allows for the strong authentication of either, or both, communicating parties. This can be used to allow for select features, such as relaying, to be controlled more securely.

A new ESMTP option, STARTTLS, has been added. This is presented by the server when an ESMTP session is initiated. The client then begins the TLS portion of the ESMTP session by issuing the command “STARTTLS”. The remaining portion of the ESMTP session occurs over a TLS channel.

This example assumes you are creating your own self-signed certificates for use with smtpd(8) and STARTTLS. If you have an existing private key and you simply wish to generate a new certificate (for example, if your old certificate has expired), see the section entitled Creating a certificate with an existing private key.

For the purposes of this example the certificates will be stored in /etc/ssl, though it is possible to use a different directory if needed.

Next, you must generate an RSA private key:

# openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096

This would generate a 4096-bit RSA key stored in the file mail.example.com.key.

Once you have generated the RSA key, you can generate a self-signed certificate from it using the command:

# openssl req -x509 -new -key /etc/ssl/private/mail.example.com.key \
  -out /etc/ssl/mail.example.com.crt -days 365

You may adjust the lifetime of the certificate via the -days parameter (one year in this example).

You can verify that the newly-generated certificate has correct information with the following command:

# openssl x509 -in /etc/ssl/mail.example.com.crt -text

It is better to configure and use acme-client(1) to obtain a signed certificate.

Because the private key files are unencrypted, MTAs can be picky about using tight permissions on those files. The certificate directory and the files therein should be readable and writable only by the owner (root). A simple way to ensure this is to run the following:

# chmod -R go-rwx /etc/ssl/private

This example assumes you already have an existing private key, /etc/ssl/private/mail.example.com.key. You can generate a new certificate based on this key using the command:

# openssl req -x509 -new -key /etc/ssl/private/mail.example.com.key \
  -out /etc/ssl/mail.example.com.crt -days 365
# chmod 600 /etc/ssl/mail.example.com.crt

You may adjust the lifetime of the certificate via the -days parameter (one year in this example).

After having installed the certificates, the mail server needs to be configured to accept TLS sessions and use the key and certificate. For smtpd(8), it's as simple as adding pki configuration to smtpd.conf(5):

pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"

listen on [...] tls pki mail.example.com auth

After restarting the mail server, a new option should be presented for ESMTP transactions, STARTTLS. You can test this by connecting to the local host and issuing the “EHLO” command.

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP OpenSMTPD
EHLO localhost

After typing , you should receive something like the following back.

250-localhost Hello localhost [127.0.0.1], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250-STARTTLS
250 HELP

You should see “STARTTLS” listed along with the other options. If so, congratulations, the MTA will now use TLS to encrypt your mail traffic when the remote server supports it. If not, check /var/log/maillog to see whether the MTA has reported any security problems or other errors.

The most obvious use of a cryptographically enabled MTA is for confidentiality of the electronic mail transaction and the integrity checking provided by the cipher suite. All traffic between the two mail servers is encrypted, including the sender and recipient addresses. TLS also allows for authentication of either or both systems in the transaction.

One use of public key cryptography is for strong authentication. We can use this authentication to selectively relay clients, including other mail servers and mobile clients like laptops. However, there have been some problems getting some mail clients to work using certificate-based authentication. Clients will have to generate certificates and have them signed (for trust validation) by a trusted CA (certificate authority).

mail(1), openssl(1), smtpd(8), ssl(8)

P. Hoffman, SMTP Service Extension for Secure SMTP over Transport Layer Security, RFC 3207, February 2002.

Because TLS can only authenticate at the server level, true end-to-end authentication of the mail message cannot be performed with only the use of STARTTLS on the server. The use of S/MIME or PGP email and trustworthy key hierarchies can guarantee full confidentiality and integrity of the entire message path.

OpenBSD 7.8 May 5, 2025 STARTTLS(8)