Secure E-mail

From DreamHost

1 Secure E-mail
2 Useful links

Secure E-mail

SMTP, IMAP, and POP / POP3 are unencrypted transmission protocols by default (like HTTP). One method to run them securely is to use SSL/TLS (like HTTPS). (Another method uses STARTTLS; this is not presently supported on Dreamhost. The STARTTLS method connects to the regular SMTP/IMAGE/POP3 port and then upgrades the connection to SSL/TLS by sending a STARTTLS request. Some eMail clients refer to this as "TLS" and the method of directly using encryption to a different port as "SSL". This distinction is technically incorrect!)

DreamHost mail servers support SSL automatically when you select SSL in your email client. You must also use the appropriate port for SSL connections:

Secure SMTP - port 465
Secure IMAP - port 993
Secure POP3 - port 995

NOTE: Some clients will set the port automatically when you select SSL, or select SSL automatically when you select the appropriate port, other clients will require that you make both selections in order to fully configure SSL for the appropriate service.

What does SSL buy you?

encrypted communications : your login information and email messages are sent in encrypted form, so people can't eavesdrop on them
server authentication : with certificates properly set up, you can check that the IMAP/POP server that you're connecting to is the correct machine (and not some fake that just wants to steal your password): you connect once, save the certificate (public key), and each time you connect in future, the server should give you the same public key (which is useless without the private key, so you can't just copy the certificate to make a fake server)

Dealing with Certificate Problems

Problem: Mozilla Thunderbird 1.5 may not allow you to 'Accept this certificate permanently', while allowing to 'Accept this certificate temporarily' and asking again on every start. The fix is to recreate your Thunderbird profile (in Linux rename your .thunderbird of .mozilla-thunderbird directory to something else) and then re-configure your email account. [1]
Problem: you connect via SSL to your mail server but there's a name mismatch because the SSL certificate points to "*.mail.dreamhost.com". This isn't a security issue because your mail server (i.e. mail.YourDomain.com) does point to a *.mail.dreamhost.com domain, but many email clients complain. For a discussion of the issue: KBase discussion As per [2], you can find your *.mail.dreamhost.com server and use that as follows:

Log in to your control panel and, once logged in, click on "Account Status" on the upper right. Note the name that is listed under "Your Email Server".
In your email client, change your mail server to EmailServer.mail.dreamhost.com where EmailServer is the name listed under "Your Email Server".
Explanation:
- It had been suggested that you use a1.balanced.EmailServer.mail.dreamhost.com, but while that may work with some mail clients, it doesn't with those that insist on comparing the server name to the certificate name each time they start, in accordance with the standards. The former server name matches the wildcard certificate which Dreamhost uses for its mail servers, *.mail.dreamhost.com. The asterisk (*) should only match one level of subdomain, according to RFC2459, §4.2.1.11, ¶4 and RFC2818 §3.1, ¶4. This usage is also explained by Thawte, another Thawte page, GeoTrust, Verisign, and Microsoft.
- Some mail clients and browsers can be convinced to accept the latter server name, but other clients insist on comparing the server name to the certificate name each time.
SSL should now be accessible without a "server name mismatch" error.

Problem: Email client complains about the "certificate authority". See NDN Certificate.

Alternatives

Another option is to modify your hosts file (C:\windows\system32\drivers\etc\hosts) so you will be able to connect to mail.YourHostName.com using mail.dreamhost.com. For example:

123.123.123.123 mail.dreamhost.com

Where 123.123.123.123 would be replaced with the IP address of mail.YourHostName.com. Afterwards, configure your email program to connect to mail.dreamhost.com instead of mail.YourHostName.com. (Be aware that you will not be able to connect to the 'real' mail.dreamhost.com using its hostname

Client Specific Solutions

Thunderbird (a very elegant solution)
Outlook Express, and potentially other Windows clients
This comment at the blog post linked above gives solution for Mail.app (Mac OS X) This solution no longer works for Mac OS X 10.5 and above.

Tunneling over SSH in Windows

I can't connect out on port 25 (SMTP) or port 465 (SMTP over SSL) from work. The firewall prevents it. Here's how you can get around that with SSH using (for example) Thunderbird and Putty:

In Putty, set up a profile to connect over SSH to your domain that is hosted by DreamHost. In the configuration dialog box, go to Connection / SSH / Tunnels, and add a "dynamic" tunnel with Source port = "8081" and Destination = empty. Save the connection profile and launch it, logging into your domain with your shell account username and password.

In Thunderbird, go to Tools / Options, and click "Connection Settings" in the first tab. Select "Manual proxy configuration", Socks host = "localhost", port = "8081", and Socks v5 = checked.

Configure the rest of Thunderbird (or whatever email client you use) using the regular instructions for IMAP or POP and SMTP, using SSL or not using SSL--either should work.