Enable TLS on smtp.aa.net.uk

From AAISP Support Site
Revision as of 10:34, 25 November 2016 by Andy (talk | contribs) (Updated mutt section)

This article as about enabling TLS in your existing email program when sending email through the AAISP email servers (smtp.aa.net.uk). If you are setting up an email program from scratch then simply select/tick the options to use TLS. This page gives help when you want to edit an existing account to enable TLS.

Why do this?

Firstly, it is good to understand what TLS is and why enabling TLS is good.

TLS stands for Transport Layer Security - it is similar to https web pages in that the data sent between your email program is sent securely. This is good as it prevents eaves droppers between your computer an our servers from seeing your data (and even your username/password credentials if sending using authentication). TLS also helps confirm that the server you are talking to really is our server and not an impostor on 'man-in-the-middle' as the certificate is tied to the name 'smtp.aa.net.uk' and your email program should give a warning if the certificate does not match.

Enabling TLS is the connection between you and the AAISP email server, the rest of the connections are out of our hands though.

It is useful to know that enabling TLS in your email program only affects how you send email to our servers. Once we have received your email we will then send it onwards to the recipients email server. Where possible our servers will also use TLS but if the recipient server does not support TLS then the email will be sent without any encryption. Beyond that it's outside of your or our control.

Enabling TLS is different from encrypting your actual message. TLS will encrypt the data between you and the AAISP mail servers - hiding the metadata and so on. If you want to ensure only the recipient can read your message then this can be done by encrypting the message with PGP or S/MIME.

You can read more about TLS on the Wikipedia page

Certificate Warnings

You should not get a certificate warning when using our outgoing mail server, if you do then please check that the smtp server is set to: smtp.aa.net.uk as other variations will give a warning that the server name does not match the security certificate.

How to Enable TLS

Example TLS setting from an email program.

Different email clients have different ways to enable TLS, usually it is just a tick box in the email account settings. Here are some pointers:

AAISP Webmail

The AAISP webmail will send email via TLS already.

Thunderbird & Icedove

Load Thunderbird/Icedove, then go to:

Edit (or Tools) -> Account Settings -> Outgoing Server (SMTP) -> Edit -> Set "Connection security: STARTTLS"

Windows Live Mail

Load Live Mail then go to:

Accounts -> select your account -> Properties -> Advanced -> Under Outgoing mail (SMTP) Tick "This server requires a a secure connection"

Outlook (newer eg 2010)

Load Outlook then go to:

File -> Info -> Accounts Settings -> Select your account -> Change -> More Settings -> Advanced -> Set "Use the following type of encrypted connection: TLS"

Outlook (older, eg 2003)

Load Outlook then go to:

Tools -> Account Settings... -> Change -> More Settings -> Advanced -> Set "Use the following type of encrypted connection: TLS""

iPhone default mail app

From the phone, go to:

Settings -> Mail, Contact, Calendars -> Choose your email account -> Advanced -> SMTP -> Set "Use SSL: ON"

Android (possibly older) default Email app

Load the Email app then go to:

Menu -> Settings -> Tap the cog icon next to your account -> Outgoing settings -> Set "Security type: STARTTLS

K9 (Android)

Load K9 then go to:

Select the email account -> Settings -> Account Settings -> Sending mail -> Outgoing Server -> Set "Security: STARTTLS"

Mutt

Mutt will your your machine's local MTA (eg sendmail, exim, postfix etc) - so look at the documentation for that for more information.

Typically, you can enable TLS with the following entries in your .muttrc:

set ssl_starttls=yes
set ssl_force_tls=yes

You will also need to ensure that you have specified port 587 at the end of the smtp_url.

Other Email programs

There is usually an option to enable "TLS" or "STARTTLS" in the email account settings.

Seeing TLS in action

To test if TLS is actually working, you can send yourself an email then look at the headers and look for the Received lines showing the connection between your computer and smtp.aa.net.uk:

Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8])
	by smtp.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)

Here you can see that TLS 1.2 was with ECDHE_RSA_AES_128_GCM_SHA256:128

An email sent without TLS would look similar, but would not show any TLS information.

Received: from andrew.ec.aa.net.uk ([2001:8b0:1:ec::8])
	by smtp.aa.net.uk with esmtp