Enable TLS on smtp.aa.net.uk: Difference between revisions
Content deleted Content added
m →Mutt |
|||
| (14 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
=Brief Overview= |
|||
| ⚫ | This article |
||
In short, we recommend that all customers use [https://en.m.wikipedia.org/wiki/Transport_Layer_Security TLS] (Also known as STARTTLS) when sending email through our servers. Here are our recommended settings, which you may want to check against the settings that you currently have in your email program: |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | TLS stands for Transport Layer Security - it is similar to https web pages in that the data sent between your email program is sent securely. This is good as it prevents eaves droppers between your computer an our servers from seeing your data (and even your username/password credentials if sending using authentication). TLS also helps confirm that the server you are talking to really is our server and not an impostor on 'man-in-the-middle' as the certificate is tied to the name 'smtp.aa.net.uk' and your email program should give a warning if the certificate does not match. |
||
| ⚫ | |||
| ⚫ | It is useful to know that enabling TLS in your email program only affects how you send email to our servers. Once we have received your email we will then send it onwards to the recipients email server. Where possible our servers will also use TLS but if the recipient server does not support TLS then the email will be sent without any encryption. Beyond that it's outside of your or our control. |
||
| ⚫ | |||
| ⚫ | |||
== Recommended Settings == |
|||
{| class="wikitable" |
{| class="wikitable" |
||
!colspan="3"|Outgoing email settings |
!colspan="3"|Outgoing email settings |
||
| Line 30: | Line 16: | ||
|Password, and use the same username & password as your IMAP/POP3 settings. |
|Password, and use the same username & password as your IMAP/POP3 settings. |
||
|} |
|} |
||
=TLS= |
|||
| ⚫ | This article is about enabling TLS in your existing email program when sending email through the AAISP email servers (smtp.aa.net.uk). If you are setting up an email program from scratch then simply select/tick the options to use TLS or STARTTLS. This page gives help when you want to edit an existing account to enable TLS. |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | TLS stands for Transport Layer Security - it is similar to https web pages in that the data sent between your email program is sent securely. This is good as it prevents eaves droppers between your computer an our servers from seeing your data (and even your username/password credentials if sending using authentication). TLS also helps confirm that the server you are talking to really is our server and not an impostor on 'man-in-the-middle' as the certificate is tied to the name 'smtp.aa.net.uk' and your email program should give a warning if the certificate does not match. |
||
| ⚫ | |||
| ⚫ | It is useful to know that enabling TLS in your email program only affects how you send email to our servers. Once we have received your email we will then send it onwards to the recipients email server. Where possible our servers will also use TLS but if the recipient server does not support TLS then the email will be sent without any encryption. Beyond that it's outside of your or our control. |
||
| ⚫ | |||
| ⚫ | |||
==Certificate Warnings== |
==Certificate Warnings== |
||
| Line 38: | Line 40: | ||
== What if my email program or device doesn't support TLS? == |
== What if my email program or device doesn't support TLS? == |
||
Modern email programs that you use on a computer or mobile device should be capable of supporting modern TLS ciphers - if not then the program is probably very old, out of date and will have other problems. It would be best to upgrade - Mozilla's Thunderbird is a good choice. |
Modern email programs that you use on a computer or mobile device should be capable of supporting modern TLS ciphers - if not then the program is probably very old, out of date and will have other problems. It would be best to upgrade - If you're not sure, then Mozilla's Thunderbird is a good choice. |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | If you are sending from outside of our network, |
||
| ⚫ | If you are sending from outside of our network, i.e. using another broadband or mobile provider, then you will be using authentication. This involves sending your username and password across the internet to our servers. This should be done with TLS enabled as otherwise your credentials could be seen by other people who could steal your password and cause mayhem! |
||
| ⚫ | At the moment, for legacy reasons, we still do allow customers to send authenticated email without TLS - this is a risk and it is a feature we want to disable in the near future. We will then only allow authenticated email over TLS. If a customer needs to send email when not using our broadband services and cannot support TLS then we'd have to suggest to use the email services provided by the ISP. |
||
| ⚫ | At the moment (2016-12), for legacy reasons, we still do allow customers to send authenticated email without TLS - this is a risk and it is a feature we want to disable in the near future. We will then only allow authenticated email over TLS. If a customer needs to send email when not using our broadband services and cannot support TLS then we'd have to suggest to use the email services provided by the ISP you are connected to. |
||
| ⚫ | |||
| ⚫ | |||
Here is a summary table: |
|||
Here is a summary table of sending email on A&A and other 3rd party broadband providers: |
|||
{| class="wikitable" |
{| class="wikitable" |
||
!colspan=" |
!colspan="4"|Requirements for sending email through smtp.aa.net.uk |
||
|- |
|- |
||
!Broadband |
!Broadband |
||
| Line 60: | Line 61: | ||
|- |
|- |
||
!A&A Broadband |
!A&A Broadband |
||
|Optional, but |
|Optional, but recommended |
||
|Optional, but |
|Optional, but recommended |
||
|587 |
|587 |
||
|- |
|- |
||
| Line 127: | Line 128: | ||
== Mutt == |
== Mutt == |
||
Mutt will |
Mutt will make use of your machine's local MTA (e.g. sendmail, exim, postfix etc.) - so look at the documentation for that for more information. |
||
Typically, you can enable TLS with the following entries in your .muttrc: |
Typically, you can enable TLS with the following entries in your .muttrc: |
||
<syntaxhighlight lang=shell> |
<syntaxhighlight lang="shell"> |
||
set ssl_starttls=yes |
set ssl_starttls=yes |
||
set ssl_force_tls=yes |
set ssl_force_tls=yes |
||
| Line 143: | Line 144: | ||
To test if TLS is actually working, you can send yourself an email then look at the [[Email Viewing Headers|headers]] and look for the Received lines showing the connection between your computer and smtp.aa.net.uk: |
To test if TLS is actually working, you can send yourself an email then look at the [[Email Viewing Headers|headers]] and look for the Received lines showing the connection between your computer and smtp.aa.net.uk: |
||
<syntaxhighlight> |
<syntaxhighlight lang="shell"> |
||
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8]) |
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8]) |
||
by smtp.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) |
by smtp.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) |
||
| Line 152: | Line 153: | ||
An email sent without TLS would look similar, but would not show any TLS information. |
An email sent without TLS would look similar, but would not show any TLS information. |
||
<syntaxhighlight> |
<syntaxhighlight lang="shell"> |
||
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8]) |
Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8]) |
||
by smtp.aa.net.uk with esmtp |
by smtp.aa.net.uk with esmtp |
||