Secure Email

From DreamHost
Revision as of 14:13, 24 January 2011 by Dccup (Talk | contribs)

Jump to: navigation, search

SMTP, IMAP, and POP / POP3 are unencrypted transmission protocols by default (like HTTP). One method to run them securely is to use TLS, or its predecessor SSL, as in HTTPS.

DreamHost mail servers support TLS automatically when you select TLS or SSL in your email client. You must also use the appropriate port for TLS connections:

  • Secure SMTP - port 587 (can also use the legacy port 465 - this may solve problems with SSL) (port 587 has optional TLS encryption, possibly using STARTTLS now, or use port 465 for SSL encryption)
  • Secure IMAP - port 993 (port 143 has optional TLS encryption, or use port 993 with SSL encryption)
  • Secure POP3 - port 995 (port 110 has optional TLS access, or use port 995 for SSL access)


NOTE: Some clients will set the port automatically when you select TLS/SSL, or select TLS/SSL automatically when you select the appropriate port, other clients will require that you make both selections in order to fully configure SSL for the appropriate service.

NOTE: In Thunderbird, for secure POP3, do not check the "Use secure authentication" checkbox - SSL is already secure, and authentication is a legacy method (to be all geeky, this means Simple Authentication and Security Layer (SASL)).

Another method uses STARTTLS; this is not presently supported on Dreamhost. The STARTTLS method connects to the regular SMTP/IMAGE/POP3 port and then upgrades the connection to TLS by sending a STARTTLS request. Some email clients refer to this as "TLS" and the method of directly using encryption to a different port as "SSL". This distinction is technically incorrect!

What does TLS buy you?

Encrypted communications
Your login information and email messages are sent in encrypted form, so people can't eavesdrop on them.
Server authentication
With certificates properly set up, you can check that the IMAP/POP server that you're connecting to is the correct machine (and not an impostor that just wants to steal your password.) The server provides a certificate (public key) which corresponds to a private key on the IMAP/POP server. Once the client knows that the server's public key is authentic, it can validate communications from that server. (To validate the server's public key, it is recommended that the client be equipped with the New Dream Network (NDN) root certificate.)

These are particularly useful if using public Wi-Fi, which may not be encrypted – these ensure that people can’t read your email by listening to the network, nor can they (more intrusively) set up a fake email server to capture your emails.


  • For wireless, you should really be using WPA2, but that’s not always available!
  • You can also use webmail over a secure (HTTPS) connection.

Dealing with Certificate Problems

  • Problem: you connect via SSL to your mail server but there's a name mismatch because the SSL certificate points to * instead. See Certificate Domain Mismatch Error.
  • Problem: Email client complains about the "certificate authority". See NDN Certificate.
  • Problem: Mozilla Thunderbird 1.5 may not allow you to 'Accept this certificate permanently', while allowing to 'Accept this certificate temporarily' and asking again on every start. The fix is to recreate your Thunderbird profile (in Linux rename your .thunderbird of .mozilla-thunderbird directory to something else) and then re-configure your email account. [1]

Tunneling over SSH in Windows

Suppose you can't connect out on port 25 (SMTP), port 587 (MSA or MSA over TLS) or port 465 (legacy MSA over TLS) from work, as the firewall prevents it. Here's how you can get around that with SSH using (for example) Thunderbird and Putty:

  • In Putty, set up a profile to connect over SSH to your domain that is hosted by DreamHost. In the configuration dialog box, go to Connection / SSH / Tunnels, and add a "dynamic" tunnel with Source port = "8081" and Destination = empty. Save the connection profile and launch it, logging into your domain with your shell account username and password.
  • In Thunderbird, go to Tools / Options, and click "Connection Settings" in the first tab. Select "Manual proxy configuration", Socks host = "localhost", port = "8081", and Socks v5 = checked.
  • Configure the rest of Thunderbird (or whatever email client you use) using the regular instructions for IMAP or POP and SMTP, using SSL or not using SSL – either should work.

Tunneling over SSH in Ubuntu

  • In terminal, give the command "ssh -D 8080"
  • In Thunderbird, go to Edit / Preferences and look at the Advanced tab. Click the "Connection..." button and, generally, follow the Windows instructions above.

Useful links