Secure E-mail
From DreamHost
SMTP, IMAP, and POP / POP3 are unencrypted transmission protocols by default (like HTTP). One method to run them securely is to use TLS, or its predecessor SSL, as in HTTPS.
DreamHost mail servers support TLS automatically when you select TLS or SSL in your email client. You must also use the appropriate port for TLS connections:
- Secure SMTP - port 587 (can also use the legacy port 465)
- Secure IMAP - port 993
- Secure POP3 - port 995
Contents |
Notes
NOTE: Some clients will set the port automatically when you select TLS/SSL, or select TLS/SSL automatically when you select the appropriate port, other clients will require that you make both selections in order to fully configure SSL for the appropriate service.
NOTE: In Thunderbird, for secure POP3, do not check the "Use secure authentication" checkbox - SSL is already secure, and authentication is a legacy method (to be all geeky, this means Simple Authentication and Security Layer (SASL)).
Another method uses STARTTLS; this is not presently supported on Dreamhost. The STARTTLS method connects to the regular SMTP/IMAGE/POP3 port and then upgrades the connection to TLS by sending a STARTTLS request. Some email clients refer to this as "TLS" and the method of directly using encryption to a different port as "SSL". This distinction is technically incorrect!
What does TLS buy you?
- encrypted communications
- your login information and email messages are sent in encrypted form, so people can't eavesdrop on them
- server authentication
- with certificates properly set up, you can check that the IMAP/POP server that you're connecting to is the correct machine (and not some fake that just wants to steal your password): you connect once, save the certificate (public key), and each time you connect in future, the server should give you the same public key (which is useless without the private key, so you can't just copy the certificate to make a fake server)
These are particularly useful if using public Wi-Fi, which may not be encrypted – these ensure that people can’t read your email by listening to the network, nor can they (more intrusively) set up a fake email server to capture your emails.
Alternatives
- For wireless, you should really be using WPA2, but that’s not always available!
- You can also use webmail over a secure (HTTPS) connection.
Dealing with Certificate Problems
- Problem: you connect via SSL to your mail server mail.yourdomain.com but there's a name mismatch because the SSL certificate points to *.mail.dreamhost.com instead. See Certificate Domain Mismatch Error.
- Problem: Email client complains about the "certificate authority". See NDN Certificate.
- Problem: Mozilla Thunderbird 1.5 may not allow you to 'Accept this certificate permanently', while allowing to 'Accept this certificate temporarily' and asking again on every start. The fix is to recreate your Thunderbird profile (in Linux rename your .thunderbird of .mozilla-thunderbird directory to something else) and then re-configure your email account. [1]
Tunneling over SSH in Windows
Suppose you can't connect out on port 25 (SMTP), port 587 (MSA or MSA over TLS) or port 465 (legacy MSA over TLS) from work, as the firewall prevents it. Here's how you can get around that with SSH using (for example) Thunderbird and Putty:
- In Putty, set up a profile to connect over SSH to your domain that is hosted by DreamHost. In the configuration dialog box, go to Connection / SSH / Tunnels, and add a "dynamic" tunnel with Source port = "8081" and Destination = empty. Save the connection profile and launch it, logging into your domain with your shell account username and password.
- In Thunderbird, go to Tools / Options, and click "Connection Settings" in the first tab. Select "Manual proxy configuration", Socks host = "localhost", port = "8081", and Socks v5 = checked.
- Configure the rest of Thunderbird (or whatever email client you use) using the regular instructions for IMAP or POP and SMTP, using SSL or not using SSL – either should work.
