User Tools

Site Tools


how_to:encrypt_sessions

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
how_to:encrypt_sessions [2011/11/02 09:17] – [Encrypting Webmail/Admin] paulhow_to:encrypt_sessions [2018/11/14 10:45] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ======How To Encrypt Sessions====== ======How To Encrypt Sessions======
-VPOP3 Enterprise 2.6 and later supports SSL/TLS encrypted sessions to VPOP3 itself. So, the email client or web browser will encrypt the data passed to VPOP3 so it cannot be intercepted.+VPOP3 Enterprise 2.6 and later supports SSL/STARTTLS encrypted sessions to VPOP3 itself. So, the email client or web browser will encrypt the data passed to VPOP3 so it cannot be intercepted.
  
 This requires an [[create an ssl certificate|SSL Certificate]] to be created for VPOP3. This requires an [[create an ssl certificate|SSL Certificate]] to be created for VPOP3.
Line 6: Line 6:
 VPOP3 supports two methods of encryption: VPOP3 supports two methods of encryption:
   - SSL - this is an old method of encrypting sessions which is not supported by the standards. However, some popular email clients such as Microsoft Outlook & Outlook Express only support this method. Other email clients such as Mozilla Thunderbird also support this for backward compatibility. SSL connections are usually done on a different TCP port from normal (eg POP3 is on port 110, POP3S is on port 995). SSL connections are encrypted from the start, so any connections on that port MUST be encrypted.    - SSL - this is an old method of encrypting sessions which is not supported by the standards. However, some popular email clients such as Microsoft Outlook & Outlook Express only support this method. Other email clients such as Mozilla Thunderbird also support this for backward compatibility. SSL connections are usually done on a different TCP port from normal (eg POP3 is on port 110, POP3S is on port 995). SSL connections are encrypted from the start, so any connections on that port MUST be encrypted. 
-  - TLS - this is the encryption method supported by the standards. This is supported by the more modern email clients such as Mozilla Thunderbird, Opera, etc. Outlook & Outlook Express do not currently support this method. TLS connections are carried out on the same port as normal (eg port 110 for POP3). With TLS connections they start off unencrypted, then the client tells the server it wants an encrypted session, so it becomes encrypted. With TLS you can tell VPOP3 to either allow plain or encrypted sessions, or to require encrypted sessions.+  - STARTTLS (this is called 'TLS' in older versions of VPOP3) this is the encryption method supported by the standards. This is supported by the more modern email clients such as Mozilla Thunderbird, Opera, etc. Older versions of Outlook & Outlook Express do not support this method, but recent versions of Outlook doSTARTTLS connections are carried out on the same port as normal (eg port 110 for POP3). With STARTTLS connections they start off unencrypted, then the client tells the server it wants an encrypted session, so it becomes encrypted. With STARTTLS you can tell VPOP3 to either allow plain or encrypted sessions, or to require encrypted sessions.
  
-TLS encryption can be used for incoming SMTP connections, if the sending SMTP server supports TLS as well as the receiving server. SSL encryption cannot be used for incoming SMTP connections. For any SMTP server which allows incoming connections, you **must** allow either encrypted or plain sessions, or some mail senders will not be able to send mail to you.+STARTTLS encryption can be used for incoming SMTP connections, if the sending SMTP server supports STARTTLS as well as the receiving server. SSL encryption cannot be used for incoming SMTP connections. For any SMTP server which allows incoming connections, you **must** allow either encrypted or plain sessions, or some mail senders will not be able to send mail to you.
  
-TLS is the recommended method for encryption data for POP3, SMTP and IMAP4, however if you have to support Microsoft Outlook or Outlook Express for some reason, then you will have to use the deprecated SSL method as well.+STARTTLS is the recommended method for encryption data for POP3, SMTP and IMAP4, however if you have to support Microsoft Outlook Express or old versions of Microsoft Outlook for some reason, then you will have to use the deprecated SSL method as well.
  
 =====Installing a certificate===== =====Installing a certificate=====
-Before you can use TLS or SSL on one of the VPOP3 services you must create and install the certificate.+Before you can use STARTTLS or SSL on one of the VPOP3 services you must create and install the certificate.
  
 There are several ways to [[create an SSL certificate|create a certificate]]. There are several ways to [[create an SSL certificate|create a certificate]].
  
-Once you have one, put the private key PEM file into the VPOP3 directory as **vpop3sslk.pem** and the certificate PEM file into the VPOP3 directory as **vpop3sslc.pem**. Then, restart VPOP3 for it to detect the files.+Once you have one:
  
-=====Using TLS===== +  if you are using VPOP3 Enterprise v6.8 or later, go to Services -> General -> SSL Settings in the VPOP3 settingsand copy/paste the certificate PEM file text (and any required intermediate certificatesinto the **SSL Certificate Chain** box, and the private key PEM file text into the **SSL Private Key** box, and restart VPOP3 
-Enabling TLS is as simple as going to the **Services -> General** page in the settings and choosing 'None/TLS' (for either plain or TLSor 'TLS' (for forced TLS) from the options in the Encryption column.+  * if you are using VPOP3 Enterprise v2.6 to v6.7, put the private key PEM file into the VPOP3 directory as **vpop3sslk.pem** and the certificate PEM file into the VPOP3 directory as **vpop3sslc.pem**. Then, restart VPOP3 for it to detect the files.
  
-As previously mentioned, if you want to allow incoming SMTP, then the SMTP service on port 25 should have 'None/TLSchosen.+=====Using STARTTLS===== 
 +Enabling STARTTLS is as simple as going to the **Services -> General** page in the settings and choosing 'None/STARTTLS(for either plain or STARTTLS) or 'STARTTLS' (for forced STARTTLS) from the options in the Encryption column.
  
-If you wish to force encryption for your local users, you can create a second SMTP service, using port 587 (the SMTP Submission port) with 'TLS' chosen. Require SMTP authentication on this service, and restriction the IP addresses accordingly.+As previously mentioned, if you want to allow incoming SMTP, then the SMTP service on port 25 should have 'None/STARTTLS' chosen. 
 + 
 +If you wish to force encryption for your local users, you can create a second SMTP service, using port 587 (the SMTP Submission port) with 'STARTTLS' chosen. Require SMTP authentication on this service, and restriction the IP addresses accordingly.
  
 =====Using SSL===== =====Using SSL=====
how_to/encrypt_sessions.1320225457.txt.gz · Last modified: 2018/11/14 10:44 (external edit)