This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
how_to:encrypt_sessions [2014/06/16 09:43] – [Installing a certificate] paul | how_to:encrypt_sessions [2018/11/14 10:45] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
======How To Encrypt Sessions====== | ======How To Encrypt Sessions====== | ||
- | VPOP3 Enterprise 2.6 and later supports SSL/TLS encrypted sessions to VPOP3 itself. So, the email client or web browser will encrypt the data passed to VPOP3 so it cannot be intercepted. | + | VPOP3 Enterprise 2.6 and later supports SSL/STARTTLS |
This requires an [[create an ssl certificate|SSL Certificate]] to be created for VPOP3. | This requires an [[create an ssl certificate|SSL Certificate]] to be created for VPOP3. | ||
Line 6: | Line 6: | ||
VPOP3 supports two methods of encryption: | VPOP3 supports two methods of encryption: | ||
- SSL - this is an old method of encrypting sessions which is not supported by the standards. However, some popular email clients such as Microsoft Outlook & Outlook Express only support this method. Other email clients such as Mozilla Thunderbird also support this for backward compatibility. SSL connections are usually done on a different TCP port from normal (eg POP3 is on port 110, POP3S is on port 995). SSL connections are encrypted from the start, so any connections on that port MUST be encrypted. | - SSL - this is an old method of encrypting sessions which is not supported by the standards. However, some popular email clients such as Microsoft Outlook & Outlook Express only support this method. Other email clients such as Mozilla Thunderbird also support this for backward compatibility. SSL connections are usually done on a different TCP port from normal (eg POP3 is on port 110, POP3S is on port 995). SSL connections are encrypted from the start, so any connections on that port MUST be encrypted. | ||
- | - TLS - this is the encryption method supported by the standards. This is supported by the more modern email clients such as Mozilla Thunderbird, | + | - STARTTLS |
- | TLS encryption can be used for incoming SMTP connections, | + | STARTTLS |
- | TLS is the recommended method for encryption data for POP3, SMTP and IMAP4, however if you have to support Microsoft Outlook or Outlook | + | STARTTLS |
=====Installing a certificate===== | =====Installing a certificate===== | ||
- | Before you can use TLS or SSL on one of the VPOP3 services you must create and install the certificate. | + | Before you can use STARTTLS |
There are several ways to [[create an SSL certificate|create a certificate]]. | There are several ways to [[create an SSL certificate|create a certificate]]. | ||
Line 22: | Line 22: | ||
* if you are using VPOP3 Enterprise v2.6 to v6.7, put the private key PEM file into the VPOP3 directory as **vpop3sslk.pem** and the certificate PEM file into the VPOP3 directory as **vpop3sslc.pem**. Then, restart VPOP3 for it to detect the files. | * if you are using VPOP3 Enterprise v2.6 to v6.7, put the private key PEM file into the VPOP3 directory as **vpop3sslk.pem** and the certificate PEM file into the VPOP3 directory as **vpop3sslc.pem**. Then, restart VPOP3 for it to detect the files. | ||
- | =====Using | + | =====Using |
- | Enabling | + | Enabling |
- | As previously mentioned, if you want to allow incoming SMTP, then the SMTP service on port 25 should have 'None/TLS' chosen. | + | As previously mentioned, if you want to allow incoming SMTP, then the SMTP service on port 25 should have 'None/STARTTLS' chosen. |
- | If you wish to force encryption for your local users, you can create a second SMTP service, using port 587 (the SMTP Submission port) with 'TLS' chosen. Require SMTP authentication on this service, and restriction the IP addresses accordingly. | + | If you wish to force encryption for your local users, you can create a second SMTP service, using port 587 (the SMTP Submission port) with 'STARTTLS' chosen. Require SMTP authentication on this service, and restriction the IP addresses accordingly. |
=====Using SSL===== | =====Using SSL===== |