4 Encryption

For greater security, you can encrypt your connection to the SMTP server. If this is to work, both Emacs and the server must support it.

The SMTP library supports the “Transport Layer Security” (TLS), and the older “Secure Sockets Layer” (SSL) encryption mechanisms. It also supports STARTTLS, which is a variant of TLS in which the initial connection to the server is made in plain text, requesting a switch to an encrypted channel for the rest of the process.

The variable smtpmail-stream-type controls what form of connection the SMTP library uses. The default value is nil, which means to use a plain connection, but try to switch to a STARTTLS encrypted connection if the server supports it. Other possible values are: starttls to insist on STARTTLS; ssl to use TLS/SSL; and plain for no encryption.

Use of any form of TLS/SSL requires support in Emacs. You can either use the built-in support (in Emacs 24.1 and later), or the starttls.el Lisp library. The built-in support uses the GnuTLS ¹ library. If your Emacs has GnuTLS support built-in, the function gnutls-available-p is defined and returns non-nil. Otherwise, you must use the starttls.el library (see that file for more information on customization options, etc.). The Lisp library requires one of the following external tools to be installed:

1. The GnuTLS command line tool ‘gnutls-cli’, which you can get from http://www.gnu.org/software/gnutls/. This is the recommended tool, mainly because it can verify server certificates.
2. The ‘starttls’ external program, which you can get from starttls-*.tar.gz from ftp://ftp.opaopa.org/pub/elisp/.

The SMTP server may also request that you verify your identity by sending a certificate and the associated encryption key to the server. If you need to do this, you can use an ~/.authinfo entry like this:

machine mail.example.org port 25 key "~/.my_smtp_tls.key" cert "~/.my_smtp_tls.cert"

(This replaces the old smtpmail-starttls-credentials variable used prior to Emacs 24.1.)