User Tools

Site Tools


how_to:encrypt_sessions

This is an old revision of the document!


How To Encrypt Sessions

VPOP3 Enterprise 2.6 and later supports SSL/TLS encrypted sessions to VPOP3 itself. So, the email client or web browser will encrypt the data passed to VPOP3 so it cannot be intercepted.

This requires an SSL Certificate to be created for VPOP3.

VPOP3 supports two methods of encryption:

  1. SSL - this is an old method of encrypting sessions which is not supported by the standards. However, some popular email clients such as Microsoft Outlook & Outlook Express only support this method. Other email clients such as Mozilla Thunderbird also support this for backward compatibility. SSL connections are usually done on a different TCP port from normal (eg POP3 is on port 110, POP3S is on port 995). SSL connections are encrypted from the start, so any connections on that port MUST be encrypted.
  2. TLS - this is the encryption method supported by the standards. This is supported by the more modern email clients such as Mozilla Thunderbird, Opera, etc. Outlook & Outlook Express do not currently support this method. TLS connections are carried out on the same port as normal (eg port 110 for POP3). With TLS connections they start off unencrypted, then the client tells the server it wants an encrypted session, so it becomes encrypted. With TLS you can tell VPOP3 to either allow plain or encrypted sessions, or to require encrypted sessions.

TLS encryption can be used for incoming SMTP connections, if the sending SMTP server supports TLS as well as the receiving server. SSL encryption cannot be used for incoming SMTP connections. For any SMTP server which allows incoming connections, you must allow either encrypted or plain sessions, or some mail senders will not be able to send mail to you.

TLS is the recommended method for encryption data for POP3, SMTP and IMAP4, however if you have to support Microsoft Outlook or Outlook Express for some reason, then you will have to use the deprecated SSL method as well.

Installing a certificate

Before you can use TLS or SSL on one of the VPOP3 services you must create and install the certificate.

There are several ways to create a certificate.

Once you have one, put the private key PEM file into the VPOP3 directory as vpop3sslk.pem and the certificate PEM file into the VPOP3 directory as vpop3sslc.pem. Then, restart VPOP3 for it to detect the files.

Using TLS

Enabling TLS is as simple as going to the Services → General page in the settings and choosing 'None/TLS' (for either plain or TLS) or 'TLS' (for forced TLS) from the options in the Encryption column.

As previously mentioned, if you want to allow incoming SMTP, then the SMTP service on port 25 should have 'None/TLS' chosen.

If you wish to force encryption for your local users, you can create a second SMTP service, using port 587 (the SMTP Submission port) with 'TLS' chosen. Require SMTP authentication on this service, and restriction the IP addresses accordingly.

Using SSL

In VPOP3 Enterprise, you can create multiple POP3 & SMTP servers. So, we suggest that you add a new POP3 server, and put it on port 995, with 'SSL' chosen as the encryption method, and a new SMTP server, on port 465, with 'SSL' chosen.

To add a new service press the Add POP3 Server or Add SMTP Server at the bottom of the Services → General page in the VPOP3 settings.

how_to/encrypt_sessions.1265191037.txt.gz · Last modified: 2018/11/14 10:44 (external edit)