Secure Email

From DreamHost
(Redirected from Secure E-mail)
Jump to: navigation, search

Overview

SMTP, IMAP, and POP / POP3 are unencrypted transmission protocols by default (like HTTP). One method to run them securely is to use TLS, or its predecessor SSL, as in HTTPS.

Dh-kb-important-icon.fw.png Important:

DreamHost mail servers only support TLS for incoming email. TLS is NOT available for outgoing mail. Emails sent from a DreamHost address use regular SMTP, even when TLS settings are enabled.

This is also why you may notice a red padlock icon in GMAIL. View the following article for further details:

DreamHost admins are currently working to provide full-TLS functionality to all mail servers.


Secure ports for incoming and outgoing connections:

  • Secure IMAP - port 993 (incoming)
  • Secure POP3 - port 995 (incoming)
  • Secure SMTP - port 465 (outgoing)
Dh-kb-note-icon.fw.png Note: Some clients will set the port automatically when you select TLS/SSL, or select TLS/SSL automatically when you select the appropriate port. Other clients require that you make both selections in order to fully configure SSL for the appropriate service.


Another method uses STARTTLS. The STARTTLS method connects to the regular SMTP/IMAP/POP3 port and then upgrades the connection to TLS by sending a STARTTLS request. Some email clients refer to this as "TLS" and the method of directly using encryption to a different port as "SSL". This distinction is technically incorrect!

What does TLS buy me?

Encrypted communications
Your login information and email messages are sent in encrypted form, so people can't eavesdrop on them.
Server authentication
With certificates properly set up, you can check that the IMAP/POP server that you're connecting to is the correct machine (and not an impostor that just wants to steal your password.) The server provides a certificate (public key) which corresponds to a private key on the IMAP/POP server. Once the client knows that the server's public key is authentic, it can validate communications from that server.

These are particularly useful if using public Wi-Fi, which may not be encrypted – these ensure that people can’t read your email by listening to the network, nor can they (more intrusively) set up a fake email server to capture your emails.

Alternatives

  • For wireless, you should really be using WPA2, but that’s not always available.
  • You can also use Webmail over a secure (HTTPS) connection.

Dealing with certificate problems

  • Problem: You connect via SSL to your mail server mail.example.com but there's a name mismatch because the SSL certificate points to *.mail.dreamhost.com instead. See Certificate Domain Mismatch Error.

See also