In addition to the recent announcements for Secure QuestMail access (http://www.aota.net/forums/showthread.php?t=19797) and Secure CNC access (http://www.aota.net/forums/showthread.php?t=19951), FutureQuest is pleased to announce secure options for accessing your email by POP3 or IMAP, as well as a secure option for sending email by SMTP.

:yeah: The new Secure Email Protocols are available now! :yeah:

POP3 over SSL (or POP3S) uses port 995
SMTP over SSL (or SMTPS) uses port 465
IMAP over SSL (or IMAPS) uses port 993

The traditional email services, which include POP3, IMAP and SMTP, remain available on their usual ports. If you make no changes to your email settings your email will continue to function as you are accustomed to it functioning.

For those of you who would like to take advantage of the new secure protocols you may find that your existing email client already provides an option for enabling this feature. Although FutureQuest cannot directly support the configuration of third-party software, such as email clients or IMAP, here are some configuration guidelines to use the secure protocols:


You should continue to use the same server/host name settings.
If your domain is example.com, then the server name settings are:
POP3 Host: pop.example.com
SMTP Host: mail.example.com
IMAP Host: pop.example.com


Look for the configuration panel for secure options under a tab such as "Advanced" or "Secure" within the Account or Server properties section of your email client.


If the email client offers a choice of encryption methods, choose SSL.
The STARTTLS method is NOT supported.


Some email clients will automatically choose the correct port numbers. However, some clients require the port numbers to be manually entered. Please refer to the port numbers listed at the top of this announcement.

For additional assistance in configuring your email client to use secure access, you should contact the email client's support providers. We also encourage you to post questions and solutions within these forums so that others using the same email client may provide tips/suggestions as well as learn from the knowledge you share.

A note about certificate warnings:
The certificate that is used to accomplish the necessary SSL encryption for the email protocols is issued to Secure.FutureQuest.net. Some email clients will issue a warning each time you connect because the domain name does not match your own, some will issue a warning only the first time you connect after starting your email program, while others have an option to always accept the certificate. This behavior varies from email client to email client, and is not under FutureQuest's control.

FutureQuest is pleased to offer you the choice between traditional email access methods or secure email access methods. There are no extra fees for either type of email access. We simply hope this further empowers you to work with your email options in the way that suits your requirements best :QTthumb:

From yours truly
The FutureQuest Team
-
:QTFQuest:

Thanks terra, deb (and everyone at fq)!

I love you all (even when I get real whiny)!

:yeah: :clapper: :whistle: :ytshark:

-- oops, scratch that last one --

Very interesting and it was a snap to set it up (I do get the warnings).

Question: What are the security concerns in e-mail that would lead someone to using SSL for their e-mail? Are non-secure e-mails at risk that I've been unaware of until now? (I get it when using public WiFi for e-mail) :confused:

(If this needs to move to another location, feel free to move my question.)

Excellent!

Anyone know of a way to get fetchmail to stop crying about the certificate domain?

It would appear The Bat! (v2.x) is among those clients unable to work with the non-matching domain, unless I've got an option somewhere to turn off that lockout...

Dan

weeeheeeee :yeah:

:clapper:

Thank you!
Regards,
vee

I think I'd prefer an email client that gives you security warnings about the domains not matching. It sounds like if you want a secure connection and you get the warning then you have to look into things unless you trust the email host. If you configure your email client for secure email and get no warnings, you know you're safe.

Very interesting and it was a snap to set it up (I do get the warnings).

Question: What are the security concerns in e-mail that would lead someone to using SSL for their e-mail? Are non-secure e-mails at risk that I've been unaware of until now? (I get it when using public WiFi for e-mail) :confused:

(If this needs to move to another location, feel free to move my question.)
Anyone who can see your network traffic, such as anyone within range on a unencrypted WiFi network, or a sysadmin for your LAN, can easily capture your user name and password for email unless you use this new protocol, or port forwarding with an SSH client such as Putty.

I have been using Putty for a long time, but it's inconvenient to start a seperate program, so this new service is appreciated.

Look for the configuration panel for secure options under a tab such as "Advanced" or "Secure" within the Account or Server properties section of your email client.In Outlook Express, I think you check "This server requires a secure connection (SSL)" under Advanced, not under Security. To be exact, you go to Tools > Accounts > [the email account to configure] > Properties > Advanced. But there's no lock or anything anywhere, so I could only assume it's working.

...I mean as opposed to being sure.

Excellent!

Anyone know of a way to get fetchmail to stop crying about the certificate domain?
You could always run:
fetchmail 2>&1 | grep -v secure.futurequest.net
or if using [t]csh:
fetchmail |& grep -v secure.futurequest.net

That would only filter out the messages about the key mismatch.

I am personally continuing to use the old ssh tunnel method because I already have it setup and because my fetchmail doesn't have to know about keys.

Some email clients will issue a warning each time you connect because the domain name does not match your own, some will issue a warning only the first time you connect after starting your email program, while others have an option to always accept the certificate. Thunderbird appears to fall into the second category. (I can't find an override in Firefox's about:config, so I presume TB doesn't have one either.) It asks once for pop.example.com -- no matter how many POP or IMAP accounts you have -- and a second time for mail.example.com.

At home I keep it running pretty much around the clock, so it's not a big deal. But I wouldn't recommend this for non-technical (aka "impatient") users. :wink:

Do we have any reason to worry that ISPs will block port 465 the way they've done with 25? Or does the use of SMTPS imply authentication as well?

Randall

Question: What are the security concerns in e-mail that would lead someone to using SSL for their e-mail? Are non-secure e-mails at risk that I've been unaware of until now? (I get it when using public WiFi for e-mail)The primary concern is to keep any passwords used to access the account from being exposed. Also, if you don't trust the connection between you and your mail host (FutureQuest), this will encrypt all the traffic. All mail sent between our servers and other servers is still in the clear, though, so the contents can still be picked up that way, but the links between servers tend to be at least slightly better secured than the links to end users.

Do we have any reason to worry that ISPs will block port 465 the way they've done with 25? Or does the use of SMTPS imply authentication as well?I don't see why ISPs would have much motivation to block port 465. From what I know, the primary motivation for blocking or capturing SMTP traffic is preventing blocks (from RBLs or annoyed admins) caused by spammers using either throw-away accounts or trojans on their networks to send directly to other servers. SMTPS is used primarily if not exclusively to send to a mail relay and not for server-to-server mail like SMTP is. As such there is no reason for spammers or trojans to begin using it, and so no reason for ISPs to block it.

Anything is, of course, possible.

The use of SMTPS does not imply authentication of any kind, other than possibly authenticating the host (us) to the client (you). As you have observed that part is broken due to the use of a single certificate across the system. Just using SMTPS does nothing to prove to us that you are authorized to relay through us.

Thank you, FutureQuest! Now I can read my e-mail over an insecure public wireless connection.

All mail sent between our servers and other servers is still in the clear, though, so the contents can still be picked up that way...Doesn't email have to go through a third party server to get to and from me? Would Putty be more secure?

Doesn't email have to go through a third party server to get to and from me?Define third party, please. When you pick up mail from us (via POP or IMAP) or use us as a relay (SMTP) the network traffic goes through many other routers and gateways (some provided by your ISP, some by the backbones, etc), but no mail servers. Similar for using us as a relay (unless they are capturing SMTP traffic).
Would Putty be more secure?Using SSH (through PuTTY or equivalent) has some advantages. First, each connection (after the first) authenticates the host unlike the current SSL setup. Second, you can tunnel other services that do not (yet) have SSL ports (such as connecting to your stats or whatever). Neither the use of SSL nor SSH has any impact on the traffic we send to and receive from other mail servers.

I meant that if I configure OE to use SSL for Futurequest email, would things be "in the clear," but I guess you were saying it's only in the clear if Futurequest sends email to an email server, which wouldn't be happening in my case. But maybe I'll use Putty anyway since it does more authentication. It wouldn't be as annoying as using Putty with CNC because I'd usually close the email tasks right after I read or send the email so my task bar wouldn't have that extra button for long.

I meant that if I configure OE to use SSL for Futurequest email, would things be "in the clear," but I guess you were saying it's only in the clear if Futurequest sends email to an email server, which wouldn't be happening in my case.Here's an example that might help clarify things. Let's say you send a mail to somebody@gmail.com. You use SMTPS, so your traffic from your computer to us is encrypted by SSL. However, we have to relay that mail for you over to gmail.com, and when we send it to them, we will not be using SMTPS, and so the mail will be sent in the clear over the backbones between FutureQuest and Google. Same thing applies in reverse to mail sent to us. All the traffic we receive is using clear SMTP, and so no encryption is being done. When you pick up the mail with POP3S or IMAPS, that part of the mail journey (from us to you) is encrypted.

Oh yeah, ok. So my password would be safe in any case.

Do all of these new secure connections -- CNC, POP, SMTP -- open us up to locking ourselves out of our accounts because of a mistyped password? I know Terra said that FQ was limiting the protocols affected by the blocks, but are there any limits on how we can shoot ourselves in the feet?

If this has been explained in detail already, my apologies. When people start talking about PuTTY and SSH tunneling I just sort of zone out.

Randall

Do all of these new secure connections -- CNC, POP, SMTP -- open us up to locking ourselves out of our accounts because of a mistyped password?As of yet, there is no systemic monitoring of the SSL-wrapped mail protocols. If there is abuse of the system (as there was before we instituted the SSH lockouts), there will be more active policing set up.

Good news indeed. Here are the Eudora settings. Sponsored or paid mode is required.

Tools / Options / Checking Mail / Secure Sockets when Receiving:
You must select "Required, Alternate Port" from the drop-down list.

Tools / Options / Sending Mail / Secure Sockets when Sending:
You must select "Required, Alternate Port" from the drop-down list.

Thunderbird appears to fall into the second category. (I can't find an override in Firefox's about:config, so I presume TB doesn't have one either.) It asks once for pop.example.com -- no matter how many POP or IMAP accounts you have -- and a second time for mail.example.com.

Randall

Actully in testing with Thunderbird, which I have been doing for some time it appears that if you do not SMTPS (send an email) you will get prompted everytime for POP however if you send an email (to yourself for example) then the POP prompts will stop for some time...

I once went almost 48 hours before I got another POP Certificate prompt. So what I do is when I get a POP cert prompt I go ahead and SMTPS myself an email and then that usually takes care of the POP prompts for awhile.

Note YMMV but this works for me using POPS and SMTPS in Thunderbird.

-Bob

Report on Outlook 2003 and Snapper Mail for Palm

In Outlook I get a warning every time I start the application for the first receive and then again when I attempt the first send. After that no warnings until I shut down and restart Outlook. If anyone knows a way to keep this from happening please let me know.

For those of you with a web enabled Palm device I am glad to report that this works perfectly with Snapper Mail. When setting up an account go to Server -> More and select "Always secure (wrapped port)" from the list box. The POP3 port will adjust to the correct port, but you will have to change the port for SMTP. Then check the box for each protocol that says "Always trust server" and you are ready to get secure email on the go.

I tried emailing myself and got the errorThe server does not support a SSL connection. Account: 'General Mail', Server: 'mail.polisource.com', Protocol: SMTP, Server Response: '250 HELP', Port: 25, Secure(SSL): Yes, Server Error: 250, Error Number: 0x800CCC7DNever mind....I didn't configure anything in CNC yet...um...that's not necessary, right? I don't know what happened. :dunno:

I tried emailing myself and got the errorThe server does not support a SSL connection. Account: 'General Mail', Server: 'mail.polisource.com', Protocol: SMTP, Server Response: '250 HELP', Port: 25, Secure(SSL): Yes, Server Error: 250, Error Number: 0x800CCC7DSMTPS works on port 465, not port 25, so your mail program was absolutely correct in saying that port 25 does not support a SSL connection.
I didn't configure anything in CNC yet...um...that's not necessary, right?Correct. All three SSL enabled protocols are available to all site owners immediately with no CNC changes necessary.

Yeah, Bob said that, didn't he. Please, nobody answer my questions any more until I have time to figure it out for myself. It's very upsetting.

It works now, and I saw a little lock too.

Please, nobody answer my questions any more until I have time to figure it out for myself.

I second the motion.

TL

Actully in testing with Thunderbird, which I have been doing for some time it appears that if you do not SMTPS (send an email) you will get prompted everytime for POP however if you send an email (to yourself for example) then the POP prompts will stop for some time... After digging around a bit, it seems that there may be a way to get around the warning message. In the Security tab under Account Settings, there is an area to manage certificates. You can import certificates and by doing this, it should stop the warnings, at least till it expires.

Bob, can you try this and see if it works? What's the possibility/feasibilty of a user being able to download FQ's certificate to import it into Thunderbird? I wonder if some other email clients may be able to do this too.

In the FWIW category...I know I'm the only living soul here at FutureQuest who uses Mulberry and likes it, but it does allow you to permanently accept the certificate and then never again see the warnings.

It appears the mismatched domain error in Thunderbird has been an issue for sometime ... https://bugzilla.mozilla.org/show_bug.cgi?id=228684

No simple fix, it seems... :umm:

After digging around a bit, it seems that there may be a way to get around the warning message. In the Security tab under Account Settings, there is an area to manage certificates. You can import certificates and by doing this, it should stop the warnings, at least till it expires. This does not solve the certificate mismatch error, unfortunately. Thunderbird is not complaining about the validity of the certificate (if it was, you could solve that by importing the certificate), just that the hostname in the certificate does not match the hostname of the server you're connecting to.

No simple fix, it seems... :umm:Alas, no. :sad:

Arthur

Good news indeed. Here are the Eudora settings. Sponsored or paid mode is required.

Tools / Options / Checking Mail / Secure Sockets when Receiving:
You must select "Required, Alternate Port" from the drop-down list.

Tools / Options / Sending Mail / Secure Sockets when Sending:
You must select "Required, Alternate Port" from the drop-down list.
I would love to use ssl in my email client. We use Eudora. I followed instructions posted by kitchin but got the following error: "SSL Negotiation Failed: Certificate bad: Destination Host name does not match host name in certificate". I've read that on this group that this SSl negotiation should just work once you've set your email client to use it. Anything I'm missing? THanks!

This does not solve the certificate mismatch error, unfortunately. Thunderbird is not complaining about the validity of the certificate (if it was, you could solve that by importing the certificate), just that the hostname in the certificate does not match the hostname of the server you're connecting to. Yes, after sifting through the comments in Bugzilla, this became painfully obvious... oh well :hrmm:

I would love to use ssl in my email client. We use Eudora. I followed instructions posted by kitchin but got the following error: "SSL Negotiation Failed: Certificate bad: Destination Host name does not match host name in certificate". I've read that on this group that this SSl negotiation should just work once you've set your email client to use it. Anything I'm missing? THanks!
What version of Eudora are you using?
I'm not sure what version kitchin used, but I tested with the latest Eudora, 6.2, and did not get that particular error. In other words, I was able to make a connection despite the cert mismatch.

I'm using version 6.1.

Just upgraded to latest version - 6.2 and it's working without any errors. :smile:

Something's up with "barry--a t--polisource.com". I can send email from "mail--a t--polisource.com, but not from the barry account. I had already changed the outgoing mail port to 465 and checked "this server requires a secure connection (SSL)" for both accounts. So I reviewed the instructions and discovered that I might need to set "Incoming mail (POP3)" to 995, so I did that. Then I tried reading my mail. I entered my password and it wouldn't work. The message in my outbox couldn't be sent, and the check for new messages never happened. I eventually closed or stopped something and I got the errorA time-out occurred while communicating with the server. Account: 'Webmaster/Editor of Polisource.com', Server: 'pop.polisource.com', Protocol: POP3, Port: 995, Secure(SSL): No, Error Number: 0x800CCC19Maybe this is all due to my sleep pattern changing. I'll try again later.

I move to have Wasser moved to a secure location where he can talk to himself all he wants.

Maybe he could just upload himself into the secure CNC...

Randall

Barry, are you using McAfee or Norton (anti-virus) to scan your email?
http://support.microsoft.com/default.aspx?scid=kb;en-us;813518

If so, might want to try disabling the scanning and see if it helps. Instructions for doing so in Norton are here:
http://service1.symantec.com/support/nav.nsf/8d071816eedd7cac88256c0e005a96e5/4d8a598190b8096e88256ab800199776?opendocument

I'm using AVG Free to scan email. Maybe I'll try disabling it. For now I'm not using SSL. I was planning to try Putty when I get a chance.

Thanks Terra, Deb and everyone at FQ!

Bringing this back up. I wondered if anyone use MS Entourage (2004) on Mac OS X has found a way to get around these security certificate warnings? I would like to implement this SSL for my wife's email but I am also sure she'll complain about these warnings. I am not keen in moving her off Entourage at this stage.

Thanks.

Bringing this back up. I wondered if anyone use MS Entourage (2004) on Mac OS X has found a way to get around these security certificate warnings? I would like to implement this SSL for my wife's email but I am also sure she'll complain about these warnings. I am not keen in moving her off Entourage at this stage.

Thanks.Disclaimer: I know next to nothing about Macs...

But I'm wondering if this may help you:
https://engineering.purdue.edu/ECN/Resources/KnowledgeBase/Docs/20030813093435
(Section titled:
"Microsoft Entourage for OS X
Please Read Before Following Steps for Entourage")
:dunno:

By the way, the latest version of Eudora has this in the release notes:
SSL
---
Fixed bug that would cause repeated requests for the user to trust an SSL
certificate. It's version 6.2.5. But I was not having a problem with the previous version, using FQ's SSL email.

The STARTTLS method is NOT supported.
Unfortunate (for me) as my email client (Mailsmith for Mac OS X) requires STARTTLS.

From the Mailsmith help file:
Mailsmith can only use SSL with SMTP servers that support the "STARTTLS" command.

Tom

Unfortunate (for me) as my email client (Mailsmith for Mac OS X) requires STARTTLS.I'm sorry to hear that, Tom. :(
Mailsmith is not one of the clients we tested, but we did test many email clients, including Eudora, Mail.app, Mulberry, Pegasus, Outlook Express, Thunderbird, and more. (Those are just quick off the top of my head.)

Of all the clients we tested, they were all able to support the protocol FutureQuest offered.

I can tell you that STARTTLS support is on the wishlist, but I do not know when it will be implemented.

In the meantime, of course, you can use SSH tunneling for secure email retrieval and sending.

Just a quick note for Thunderbird users: There's an extension called Remember Mismatched Domains that allows you to banish the @#$% warnings once and for all.

:ytecstat:

Details in this thread: Thunderbird hits 1.5 (http://www.aota.net/forums/showthread.php?postid=143917#post143917).

Randall

FYI:
Somewhat hacky way to circumvent the "CN Name doesn't match" warnings with Outlook Express etc.

Edit
C:\windows\system32\drivers\etc\host
and add
yourmailserverip secure.futurequest.net
Then change your mail program to use "secure.futurequest.net" as the mail server (which in turn resolves to yourmailserverip but now the host name and certificate name match!).

The downside is you can no longer access any other service hosted on secure.futurequest.net

The downside is you can no longer access any other service hosted on secure.futurequest.net

What other service(s) are hosted on secure.futurequest.net?

What other service(s) are hosted on secure.futurequest.net? The credit card payment forms for one...

-Arthur

The credit card payment forms for one... That might present a problem. :winky:

Randall

The credit card payment forms for one...
Oh well, I guess I will just have to continue to accept the mismatch every time I restart Outlook.....someday...