User Tools

Site Tools


faq:email:secure_imap_pop3_smtp_faq

This is an old revision of the document!


Secure IMAP/POP3 and SMTP FAQ

Q: What is the difference between secure mail access and the not secure one?

A: The concept is similar to HTTP and HTTPS. The secure mail access is a process that establishes an encrypted connection between you and the server, so that no one else (or machine) can observe the content that you are transferring, including your password and email content.

Q: My email has no secret, why should I use secure access?

A: Your password is. If your password is exposed, the person may gain control of your email account, logging in to your webmail system (and even changing your password), grabbing all your contacts and, most importantly, using your identity to send out malicious emails. You will get blacklisted, your business associates will make payment to the hackers’ bank accounts, or even get email with ransomware from you.

Q: Why does my mail client warn me "the secure certificate is invalid" or "cannot verify server identity"?

A: That's because each secure certificate has to verify against the server name that you connect to. If you connect to mail.your-domain.com, your mail application will warn you as the certificate belongs to someone else like *.agnx.com. You can safely accept the certificate coming from agnx.com as it is AfterOffice Global Network Exchange domain.

Q: Which secure connection should I use? SSL or STARTTLS?

A: In most case, your mail client will decide which method is best to use. If you configure your mail client manually to connect to port 995 (POP3), 993 (IMAP), SSL will be used instead of STARTTLS. If your configuration still uses the “standard port” like 110, 143 or 587, it means STARTTLS is the best to enable secure connection on these ports. There is no “which is better” in comparison, it is all up to your mail application preference, and your network firewall (some ISP blocked the access to STMP port 25, some corporate network block all “insecure ports”).

Q: What is the deferent between SSL and STARTTLS?

A: SSL is easier to configure as it is usually associated with a dedicated port number - although you need to get the port number right as SSL will be assumed running at the port. You cannot connect to port 110 with SSL for example, as the port has been reserved for plain POP3 connection (the secure POP3 port is at 995). Where STARTTLS is more advance since it is usually supported at the original ports (110 for POP3, 143 for IMAP, 25 and 587 for STMP etc). Connection to these “standard ports” will have to go with STARTTLS as it is more like a hybrid connection that starts as plain, switching to SSL after the connection is established. AfterOffice offers both SSL and STARTTLS at related ports.

Q: Do I need to use more sophisticate password authentication method like CRAM-MD5?

A: Yes if you are still connecting to your mail server without SSL or STARTTLS. Not necessary (but good to have) if you've already connected with SSL or STARTTLS. It is safe to use “plain” password authentication once your connection is secured.

Q: I don't have STARTTLS options, but why is the connection to standard ports of IMAP/POP3/SMTP still working as SSL?

A: Some mail clients don't advertise or distinguish between SSL and STARTTLS. It just states SSL as either SSL or STARTTLS connection.

Q: I have "SSL - accept all certs" options, should I use it?

A: Yes, it means the mail client will accept any certificate even if the host name is unmatched - which is generally fine. If you would like to established your own SSL certificate with your own domain, write to us at support@afteroffice.com.

Q: Why is it that I can only use STARTTLS for SMTP port 587?

A: Due to legacy support, port 587 has been offering as an alternative to SMTP port 25, where only plain traffic is supported. To add security to port 587, it has to offer via STARTTLS. There is an unofficial SSL port for SMTP at 465 (mostly for Microsoft mail client and services) if you insist to use SSL port instead.

Q: Why can't I use port 25 as SMTP?

A: If you have trouble setting up port 25 as STMP, it is likely that your ISP or corporate network has blocked it, to prevent abuse. Use port 587 instead.

Q: I am still on pretty old system and mail application has limited support for SSL, should I be worried?

A: Make sure you don't use “plain” password authentication method (CRAM-MD5 is good alternative), stay away from public network (open WIFI), then you should be fine.

faq/email/secure_imap_pop3_smtp_faq.1565056694.txt.gz · Last modified: 2019/08/06 09:58 by vikki