SMTP, IMAP, and POP / POP3 are unencrypted transmission protocols by default (like HTTP). One method to run them securely is to use TLS, or its predecessor SSL, as in HTTPS.
Secure ports for incoming and outgoing connections:
- Secure IMAP - port 993 (incoming)
- Secure POP3 - port 995 (incoming)
- Secure SMTP - port 465 (outgoing)
Another method uses STARTTLS. The STARTTLS method connects to the regular SMTP/IMAP/POP3 port and then upgrades the connection to TLS by sending a STARTTLS request. Some email clients refer to this as "TLS" and the method of directly using encryption to a different port as "SSL". This distinction is technically incorrect!
What does TLS buy me?
- Encrypted communications
- Your login information and email messages are sent in encrypted form, so people can't eavesdrop on them.
- Server authentication
- With certificates properly set up, you can check that the IMAP/POP server that you're connecting to is the correct machine (and not an impostor that just wants to steal your password.) The server provides a certificate (public key) which corresponds to a private key on the IMAP/POP server. Once the client knows that the server's public key is authentic, it can validate communications from that server.
These are particularly useful if using public Wi-Fi, which may not be encrypted – these ensure that people can’t read your email by listening to the network, nor can they (more intrusively) set up a fake email server to capture your emails.
- For wireless, you should really be using WPA2, but that’s not always available.
- You can also use Webmail over a secure (HTTPS) connection.
Dealing with certificate problems
- Problem: You connect via SSL to your mail server mail.example.com but there's a name mismatch because the SSL certificate points to *.mail.dreamhost.com instead. See Certificate Domain Mismatch Error.