User Tools

Site Tools


how_to:encrypt_sessions

How To Encrypt Sessions

VPOP3 Enterprise 2.6 and later supports SSL/STARTTLS encrypted sessions to VPOP3 itself. So, the email client or web browser will encrypt the data passed to VPOP3 so it cannot be intercepted.

This requires an SSL Certificate to be created for VPOP3.

VPOP3 supports two methods of encryption:

  1. SSL - this is an old method of encrypting sessions which is not supported by the standards. However, some popular email clients such as Microsoft Outlook & Outlook Express only support this method. Other email clients such as Mozilla Thunderbird also support this for backward compatibility. SSL connections are usually done on a different TCP port from normal (eg POP3 is on port 110, POP3S is on port 995). SSL connections are encrypted from the start, so any connections on that port MUST be encrypted.
  2. STARTTLS - (this is called 'TLS' in older versions of VPOP3) this is the encryption method supported by the standards. This is supported by the more modern email clients such as Mozilla Thunderbird, Opera, etc. Older versions of Outlook & Outlook Express do not support this method, but recent versions of Outlook do. STARTTLS connections are carried out on the same port as normal (eg port 110 for POP3). With STARTTLS connections they start off unencrypted, then the client tells the server it wants an encrypted session, so it becomes encrypted. With STARTTLS you can tell VPOP3 to either allow plain or encrypted sessions, or to require encrypted sessions.

STARTTLS encryption can be used for incoming SMTP connections, if the sending SMTP server supports STARTTLS as well as the receiving server. SSL encryption cannot be used for incoming SMTP connections. For any SMTP server which allows incoming connections, you must allow either encrypted or plain sessions, or some mail senders will not be able to send mail to you.

STARTTLS is the recommended method for encryption data for POP3, SMTP and IMAP4, however if you have to support Microsoft Outlook Express or old versions of Microsoft Outlook for some reason, then you will have to use the deprecated SSL method as well.

Installing a certificate

Before you can use STARTTLS or SSL on one of the VPOP3 services you must create and install the certificate.

There are several ways to create a certificate.

Once you have one:

  • if you are using VPOP3 Enterprise v6.8 or later, go to Services → General → SSL Settings in the VPOP3 settings, and copy/paste the certificate PEM file text (and any required intermediate certificates) into the SSL Certificate Chain box, and the private key PEM file text into the SSL Private Key box, and restart VPOP3
  • if you are using VPOP3 Enterprise v2.6 to v6.7, put the private key PEM file into the VPOP3 directory as vpop3sslk.pem and the certificate PEM file into the VPOP3 directory as vpop3sslc.pem. Then, restart VPOP3 for it to detect the files.

Using STARTTLS

Enabling STARTTLS is as simple as going to the Services → General page in the settings and choosing 'None/STARTTLS' (for either plain or STARTTLS) or 'STARTTLS' (for forced STARTTLS) from the options in the Encryption column.

As previously mentioned, if you want to allow incoming SMTP, then the SMTP service on port 25 should have 'None/STARTTLS' chosen.

If you wish to force encryption for your local users, you can create a second SMTP service, using port 587 (the SMTP Submission port) with 'STARTTLS' chosen. Require SMTP authentication on this service, and restriction the IP addresses accordingly.

Using SSL

In VPOP3 Enterprise, you can create multiple POP3 & SMTP servers. So, we suggest that you add a new POP3 server, and put it on port 995, with 'SSL' chosen as the encryption method, and a new SMTP server, on port 465, with 'SSL' chosen.

To add a new service press the Add POP3 Server or Add SMTP Server at the bottom of the Services → General page in the VPOP3 settings.

Encrypting Webmail/Admin

Once you have installed the certificate as above, go to Services → Webmail Server → General

Set Encryption to SSL or Auto-Detect

  • If you set it to SSL then VPOP3 will force the connection to use SSL ('https'). If a non-encrypted session is attempted to the webmail port, then VPOP3 will automatically redirect it to a 'https:' connection.
  • If you set it to Auto-Detect then VPOP3 will allow either SSL or non-encrypted connections (on the same port)

Note that you can change the port to 443 to allow simpler connections (as in the screenshot above) - but only as long as there are no other https servers on the same IP address as the VPOP3 webmail service.

Note that if you use the SSL setting, the built-in redirection only works from the webmail port. So, if you have the port set to 443, then going to http://<server> will not automatically redirect to https://<server>, because http uses port 80, and https uses port 443. If you want this redirection (which can be useful) you will need to configure a suitable redirection in another web server (eg IIS). If you have your VPOP3 server hosted with us, then we will have set that redirection up for you already.

how_to/encrypt_sessions.txt · Last modified: 2018/11/14 10:45 (external edit)