Enable TLS on smtp.aa.net.uk: Difference between revisions
m (→Mutt) |
|||
(45 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
=Brief Overview= |
|||
This article as about enabling TLS in your existing email program when sending email through the AAISP email servers (smtp.aa.net.uk). If you are setting up an email program from scratch then simply select/tick the options to use TLS. This page gives help when you want to edit an existing account to enable TLS. |
|||
In short, we recommend that all customers use [https://en.m.wikipedia.org/wiki/Transport_Layer_Security TLS] (Also known as STARTTLS) when sending email through our servers. Here are our recommended settings, which you may want to check against the settings that you currently have in your email program: |
|||
{| class="wikitable" |
|||
!colspan="3"|Outgoing email settings |
|||
|- |
|||
!Outgoing Server |
|||
|smtp.aa.net.uk |
|||
|- |
|||
!Port |
|||
|587 or 25. Given a choice, use 587 |
|||
|- |
|||
!Security |
|||
|STARTTLS (sometimes called TLS) |
|||
|- |
|||
!Authentication |
|||
|Password, and use the same username & password as your IMAP/POP3 settings. |
|||
|} |
|||
=TLS= |
|||
This article is about enabling TLS in your existing email program when sending email through the AAISP email servers (smtp.aa.net.uk). If you are setting up an email program from scratch then simply select/tick the options to use TLS or STARTTLS. This page gives help when you want to edit an existing account to enable TLS. |
|||
==Why do this?== |
==Why do this?== |
||
Firstly, it is good to understand what TLS is and why enabling TLS is good. |
Firstly, it is good to understand what TLS is and why enabling TLS is good. |
||
TLS stands for Transport Layer Security - it is similar to https web pages in that the data sent between your email program is sent securely. This is good as it prevents |
TLS stands for Transport Layer Security - it is similar to https web pages in that the data sent between your email program is sent securely. This is good as it prevents eaves droppers between your computer an our servers from seeing your data (and even your username/password credentials if sending using authentication). TLS also helps confirm that the server you are talking to really is our server and not an impostor on 'man-in-the-middle' as the certificate is tied to the name 'smtp.aa.net.uk' and your email program should give a warning if the certificate does not match. |
||
[[File:SMTP-TLS.svg|none|frame|Enabling TLS is the connection between you and the AAISP email server.]] |
[[File:SMTP-TLS.svg|none|frame|Enabling TLS is the connection between you and the AAISP email server, the rest of the connections are out of our hands though.]] |
||
It |
It is useful to know that enabling TLS in your email program only affects how you send email to our servers. Once we have received your email we will then send it onwards to the recipients email server. Where possible our servers will also use TLS but if the recipient server does not support TLS then the email will be sent without any encryption. Beyond that it's outside of your or our control. |
||
Enabling TLS is different from encrypting your actual message |
Enabling TLS is different from encrypting your actual message. TLS will encrypt the data between you and the AAISP mail servers - hiding the metadata and so on. If you want to ensure only the recipient can read your message then this can be done by encrypting the message with PGP or S/MIME. |
||
You can read more about TLS on the [https://en.wikipedia.org/wiki/Transport_Layer_Security Wikipedia page] |
You can read more about TLS on the [https://en.wikipedia.org/wiki/Transport_Layer_Security Wikipedia page] |
||
==Certificate Warnings== |
==Certificate Warnings== |
||
You should not get a certificate warning when using our outgoing mail server, if you do then please check that the smtp server is set to: smtp.aa.net.uk as other variations will give a warning that the server name does not match the security certificate. |
You should not get a certificate warning when using our outgoing mail server, if you do then please check that the smtp server is set to: smtp.aa.net.uk as other variations will give a warning that the server name does not match the security certificate. If you do get a warning then that may mean that you are not talking to our servers and you should check the error message and the certificate carefully. If in doubt then please contact Support. |
||
== What we don't support== |
|||
We don't support port 465 as this is deprecated and replaced with using TLS or STARTTLS on ports 25 or 587. |
|||
== What if my email program or device doesn't support TLS? == |
|||
Modern email programs that you use on a computer or mobile device should be capable of supporting modern TLS ciphers - if not then the program is probably very old, out of date and will have other problems. It would be best to upgrade - If you're not sure, then Mozilla's Thunderbird is a good choice. |
|||
Some devices such as webcams, DVRs, and so on the want to send email may lack TLS features. If this is the case, then do check for firmware updates. |
|||
If you are sending from outside of our network, i.e. using another broadband or mobile provider, then you will be using authentication. This involves sending your username and password across the internet to our servers. This should be done with TLS enabled as otherwise your credentials could be seen by other people who could steal your password and cause mayhem! |
|||
At the moment (2016-12), for legacy reasons, we still do allow customers to send authenticated email without TLS - this is a risk and it is a feature we want to disable in the near future. We will then only allow authenticated email over TLS. If a customer needs to send email when not using our broadband services and cannot support TLS then we'd have to suggest to use the email services provided by the ISP you are connected to. |
|||
We do allow customers on our broadband services to send email without authentication and this can be with TLS enabled or disabled, but we'd always suggest enabling TLS |
|||
Here is a summary table of sending email on A&A and other 3rd party broadband providers: |
|||
{| class="wikitable" |
|||
!colspan="4"|Requirements for sending email through smtp.aa.net.uk |
|||
|- |
|||
!Broadband |
|||
!TLS |
|||
!Authentication |
|||
!Port |
|||
|- |
|||
!A&A Broadband |
|||
|Optional, but recommended |
|||
|Optional, but recommended |
|||
|587 |
|||
|- |
|||
!Non A&A Broadband |
|||
|Required |
|||
|Required |
|||
|587 |
|||
|- |
|||
|} |
|||
=How to Enable TLS= |
=How to Enable TLS= |
||
Line 27: | Line 82: | ||
Load Thunderbird/Icedove, then go to: |
Load Thunderbird/Icedove, then go to: |
||
Edit (or Tools) -> Account Settings -> Outgoing Server (SMTP) -> Edit -> Set "Connection security: STARTTLS" |
Edit (or Tools) -> Account Settings -> Outgoing Server (SMTP) -> Edit -> Set "Connection security: STARTTLS" |
||
[[File:Thunderbird-smtp-tls.png|none|frame|TLS settings on Thunderbird]] |
|||
Ensure that you '''don't''' have the connection security set to 'SSL/TLS |
|||
== Windows Live Mail == |
== Windows Live Mail == |
||
Line 39: | Line 98: | ||
Load Outlook then go to: |
Load Outlook then go to: |
||
Tools -> Account Settings... -> Change -> More Settings -> Advanced -> Set "Use the following type of encrypted connection: TLS"" |
Tools -> Account Settings... -> Change -> More Settings -> Advanced -> Set "Use the following type of encrypted connection: TLS"" |
||
== Eudora == |
|||
We'd suggest not using Eudora as it is old and unsupported software which is probably using outdated encryption ciphers. |
|||
Qualcomm is no longer developing Eudora OSE and its community support forum no longer exists. Furthermore, the last released version is based on an old version of Thunderbird which is no longer supported, has many bugs and performance problems, and known security issues. Users might like to try Thunderbird as an alternative email program. |
|||
Source [https://wiki.mozilla.org/Eudora_OSE wiki.mozilla.org] |
|||
== OSX Mail == |
|||
It looks like (at least Sierra) Mail automatically manages the security and will pick port 587 and TLS - which is good. To check this: |
|||
Open the Mac Mail App |
|||
Mail --> Preferences --> Click on the email account --> Check that 'Automatically manage connection settings' is enabled. |
|||
If you untick 'Automatically manage connection settings' then you can see that it uses: Port: 587, Use TLS/SSL: Ticked, Authentication: Password. |
|||
== iPhone default mail app== |
== iPhone default mail app== |
||
From the phone, go to: |
From the phone, go to: |
||
Settings -> Mail, Contact, Calendars -> Choose your email account -> Advanced -> SMTP -> Set "Use SSL: ON" |
Settings -> Mail, Contact, Calendars -> Choose your email account -> Advanced -> SMTP -> Set "Use SSL: ON" |
||
== iPad default mail app == |
|||
From the iPad go to: |
|||
Settings -> Mail -> Accounts -> Choose your email account -SMTP -> Choose the Primary Server -> set Host Name=smtp.aa.net.uk, use SSL=On, Server Port=587 |
|||
== Android (possibly older) default Email app== |
== Android (possibly older) default Email app== |
||
Line 53: | Line 128: | ||
== Mutt == |
== Mutt == |
||
Mutt will |
Mutt will make use of your machine's local MTA (e.g. sendmail, exim, postfix etc.) - so look at the documentation for that for more information. |
||
Typically, you can enable TLS with the following entries in your .muttrc: |
|||
<syntaxhighlight lang="shell"> |
|||
set ssl_starttls=yes |
|||
set ssl_force_tls=yes |
|||
</syntaxhighlight> |
|||
You will also need to ensure that you have specified port 587 at the end of the smtp_url. |
|||
== Other Email programs== |
== Other Email programs== |
||
There is usually an option to enable "TLS" or "STARTTLS" in the email account settings. |
There is usually an option to enable "TLS" or "STARTTLS" in the email account settings. |
||
= Seeing TLS in action = |
|||
To test if TLS is actually working, you can send yourself an email then look at the [[Email Viewing Headers|headers]] and look for the Received lines showing the connection between your computer and smtp.aa.net.uk: |
|||
<syntaxhighlight lang="shell"> |
|||
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8]) |
|||
by smtp.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) |
|||
</syntaxhighlight> |
|||
Here you can see that TLS 1.2 was with ECDHE_RSA_AES_128_GCM_SHA256:128 |
|||
An email sent without TLS would look similar, but would not show any TLS information. |
|||
<syntaxhighlight lang="shell"> |
|||
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8]) |
|||
by smtp.aa.net.uk with esmtp |
|||
</syntaxhighlight> |
|||
[[Category:Email How to]] |
Latest revision as of 20:36, 18 April 2023
Brief Overview
In short, we recommend that all customers use TLS (Also known as STARTTLS) when sending email through our servers. Here are our recommended settings, which you may want to check against the settings that you currently have in your email program:
Outgoing email settings | ||
---|---|---|
Outgoing Server | smtp.aa.net.uk | |
Port | 587 or 25. Given a choice, use 587 | |
Security | STARTTLS (sometimes called TLS) | |
Authentication | Password, and use the same username & password as your IMAP/POP3 settings. |
TLS
This article is about enabling TLS in your existing email program when sending email through the AAISP email servers (smtp.aa.net.uk). If you are setting up an email program from scratch then simply select/tick the options to use TLS or STARTTLS. This page gives help when you want to edit an existing account to enable TLS.
Why do this?
Firstly, it is good to understand what TLS is and why enabling TLS is good.
TLS stands for Transport Layer Security - it is similar to https web pages in that the data sent between your email program is sent securely. This is good as it prevents eaves droppers between your computer an our servers from seeing your data (and even your username/password credentials if sending using authentication). TLS also helps confirm that the server you are talking to really is our server and not an impostor on 'man-in-the-middle' as the certificate is tied to the name 'smtp.aa.net.uk' and your email program should give a warning if the certificate does not match.
It is useful to know that enabling TLS in your email program only affects how you send email to our servers. Once we have received your email we will then send it onwards to the recipients email server. Where possible our servers will also use TLS but if the recipient server does not support TLS then the email will be sent without any encryption. Beyond that it's outside of your or our control.
Enabling TLS is different from encrypting your actual message. TLS will encrypt the data between you and the AAISP mail servers - hiding the metadata and so on. If you want to ensure only the recipient can read your message then this can be done by encrypting the message with PGP or S/MIME.
You can read more about TLS on the Wikipedia page
Certificate Warnings
You should not get a certificate warning when using our outgoing mail server, if you do then please check that the smtp server is set to: smtp.aa.net.uk as other variations will give a warning that the server name does not match the security certificate. If you do get a warning then that may mean that you are not talking to our servers and you should check the error message and the certificate carefully. If in doubt then please contact Support.
What we don't support
We don't support port 465 as this is deprecated and replaced with using TLS or STARTTLS on ports 25 or 587.
What if my email program or device doesn't support TLS?
Modern email programs that you use on a computer or mobile device should be capable of supporting modern TLS ciphers - if not then the program is probably very old, out of date and will have other problems. It would be best to upgrade - If you're not sure, then Mozilla's Thunderbird is a good choice.
Some devices such as webcams, DVRs, and so on the want to send email may lack TLS features. If this is the case, then do check for firmware updates.
If you are sending from outside of our network, i.e. using another broadband or mobile provider, then you will be using authentication. This involves sending your username and password across the internet to our servers. This should be done with TLS enabled as otherwise your credentials could be seen by other people who could steal your password and cause mayhem!
At the moment (2016-12), for legacy reasons, we still do allow customers to send authenticated email without TLS - this is a risk and it is a feature we want to disable in the near future. We will then only allow authenticated email over TLS. If a customer needs to send email when not using our broadband services and cannot support TLS then we'd have to suggest to use the email services provided by the ISP you are connected to.
We do allow customers on our broadband services to send email without authentication and this can be with TLS enabled or disabled, but we'd always suggest enabling TLS
Here is a summary table of sending email on A&A and other 3rd party broadband providers:
Requirements for sending email through smtp.aa.net.uk | |||
---|---|---|---|
Broadband | TLS | Authentication | Port |
A&A Broadband | Optional, but recommended | Optional, but recommended | 587 |
Non A&A Broadband | Required | Required | 587 |
How to Enable TLS
Different email clients have different ways to enable TLS, usually it is just a tick box in the email account settings. Here are some pointers:
AAISP Webmail
The AAISP webmail will send email via TLS already.
Thunderbird & Icedove
Load Thunderbird/Icedove, then go to:
Edit (or Tools) -> Account Settings -> Outgoing Server (SMTP) -> Edit -> Set "Connection security: STARTTLS"
Ensure that you don't have the connection security set to 'SSL/TLS
Windows Live Mail
Load Live Mail then go to:
Accounts -> select your account -> Properties -> Advanced -> Under Outgoing mail (SMTP) Tick "This server requires a a secure connection"
Outlook (newer eg 2010)
Load Outlook then go to:
File -> Info -> Accounts Settings -> Select your account -> Change -> More Settings -> Advanced -> Set "Use the following type of encrypted connection: TLS"
Outlook (older, eg 2003)
Load Outlook then go to:
Tools -> Account Settings... -> Change -> More Settings -> Advanced -> Set "Use the following type of encrypted connection: TLS""
Eudora
We'd suggest not using Eudora as it is old and unsupported software which is probably using outdated encryption ciphers.
Qualcomm is no longer developing Eudora OSE and its community support forum no longer exists. Furthermore, the last released version is based on an old version of Thunderbird which is no longer supported, has many bugs and performance problems, and known security issues. Users might like to try Thunderbird as an alternative email program. Source wiki.mozilla.org
OSX Mail
It looks like (at least Sierra) Mail automatically manages the security and will pick port 587 and TLS - which is good. To check this: Open the Mac Mail App
Mail --> Preferences --> Click on the email account --> Check that 'Automatically manage connection settings' is enabled.
If you untick 'Automatically manage connection settings' then you can see that it uses: Port: 587, Use TLS/SSL: Ticked, Authentication: Password.
iPhone default mail app
From the phone, go to:
Settings -> Mail, Contact, Calendars -> Choose your email account -> Advanced -> SMTP -> Set "Use SSL: ON"
iPad default mail app
From the iPad go to:
Settings -> Mail -> Accounts -> Choose your email account -SMTP -> Choose the Primary Server -> set Host Name=smtp.aa.net.uk, use SSL=On, Server Port=587
Android (possibly older) default Email app
Load the Email app then go to:
Menu -> Settings -> Tap the cog icon next to your account -> Outgoing settings -> Set "Security type: STARTTLS
K9 (Android)
Load K9 then go to:
Select the email account -> Settings -> Account Settings -> Sending mail -> Outgoing Server -> Set "Security: STARTTLS"
Mutt
Mutt will make use of your machine's local MTA (e.g. sendmail, exim, postfix etc.) - so look at the documentation for that for more information.
Typically, you can enable TLS with the following entries in your .muttrc:
set ssl_starttls=yes
set ssl_force_tls=yes
You will also need to ensure that you have specified port 587 at the end of the smtp_url.
Other Email programs
There is usually an option to enable "TLS" or "STARTTLS" in the email account settings.
Seeing TLS in action
To test if TLS is actually working, you can send yourself an email then look at the headers and look for the Received lines showing the connection between your computer and smtp.aa.net.uk:
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8])
by smtp.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
Here you can see that TLS 1.2 was with ECDHE_RSA_AES_128_GCM_SHA256:128
An email sent without TLS would look similar, but would not show any TLS information.
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8])
by smtp.aa.net.uk with esmtp