Secure email - when can we use ssl with imap/pop3 and smtp email?
Secure email - when can we use ssl with imap/pop3 and smtp email?
Currently, while we can use smtp authentication for email (although limited to the primary account details and not individual accounts), email pickup or sending is not secure - I.e. It is not encrypted.
When will Plusnet fix this significant deficiency? It makes remote pickup of email by the likes of iPhones, smart phones etc very insecure.
Regards
Neil
Currently, while we can use smtp authentication for email (although limited to the primary account details and not individual accounts), email pickup or sending is not secure - I.e. It is not encrypted.
When will Plusnet fix this significant deficiency? It makes remote pickup of email by the likes of iPhones, smart phones etc very insecure.
Regards
Neil
Quote from: neils Secure email - when can we use ssl with imap/pop3 and smtp email?
The last time I looked into this, the situation was as per the information in my post here. Having said that, there was a short period of time during which we had SSL enabled on the outbound servers. It was with a self-signed SSL cert though and IIRC caused more problems and confusion than it was worth.
Due to the number of listening daemons we have now, we'd need about 30 SSL certs in order to deliver what's being asked of the inbound platform. If I'm honest, I suspect the business will struggle to justify the benefit of doing this once all of the costs are considered
Hi Bob,
This can't still be the case can it?
GoDaddy.co.uk are now offering unlimited sub-domain ssl certs at less than £120 a year or alternatively certs that cover 30 domains at less than £250.
As you said in the other thread, ssl/tls was turned on before for e-mail so the cost to the business of offering the service must have been evaluated then and been acceptable, so as the cost of the certs is now acceptable (and lets face it if £250 is a worry to a business then the customers of that business should be very worried) is there any reason for not offering this much requested service?
Regards,
Ian.
Quote from: Bob Due to the number of listening daemons we have now, we'd need about 30 SSL certs in order to deliver what's being asked of the inbound platform. If I'm honest, I suspect the business will struggle to justify the benefit of doing this once all of the costs are considered
This can't still be the case can it?
GoDaddy.co.uk are now offering unlimited sub-domain ssl certs at less than £120 a year or alternatively certs that cover 30 domains at less than £250.
As you said in the other thread, ssl/tls was turned on before for e-mail so the cost to the business of offering the service must have been evaluated then and been acceptable, so as the cost of the certs is now acceptable (and lets face it if £250 is a worry to a business then the customers of that business should be very worried) is there any reason for not offering this much requested service?
Regards,
Ian.
Quote from: Bob
Quote from: neils Secure email - when can we use ssl with imap/pop3 and smtp email?
The last time I looked into this, the situation was as per the information in my post here. Having said that, there was a short period of time during which we had SSL enabled on the outbound servers. It was with a self-signed SSL cert though and IIRC caused more problems and confusion than it was worth.
Due to the number of listening daemons we have now, we'd need about 30 SSL certs in order to deliver what's being asked of the inbound platform. If I'm honest, I suspect the business will struggle to justify the benefit of doing this once all of the costs are considered
Bob,
How about one SSL for say one box with an address secure.smtp.plus.net?
Quote from: sl500 It's the only mail server I connect to that doesn't have any security, even clear text authentication?
Try changing the password on one of your mailboxes and see what happens when you try to connect via IMAP - you'll either not get in or be prompted to enter the new password!
So why did you post saying
All we were doing was pointing out that the Plusnet IMAP servers do require clear text authentication.
In the other direction, sending messages doesn't require any authentication - if you are connected to the Plusnet network. If you are connected via a different ISP or mobile network clear text authentication is required.
Quote from: sl500 It's the only mail server I connect to that doesn't have any security, even clear text authentication?
All we were doing was pointing out that the Plusnet IMAP servers do require clear text authentication.
In the other direction, sending messages doesn't require any authentication - if you are connected to the Plusnet network. If you are connected via a different ISP or mobile network clear text authentication is required.
Quote from: Bob
Quote from: neils Secure email - when can we use ssl with imap/pop3 and smtp email?
The last time I looked into this, the situation was as per the information in my post here. Having said that, there was a short period of time during which we had SSL enabled on the outbound servers. It was with a self-signed SSL cert though and IIRC caused more problems and confusion than it was worth.
Due to the number of listening daemons we have now, we'd need about 30 SSL certs in order to deliver what's being asked of the inbound platform. If I'm honest, I suspect the business will struggle to justify the benefit of doing this once all of the costs are considered
I was helping someone set-up their mail account on Plusnet as I had recommended them to you several years ago and BT are now forcing users who don't have BB with them to pay if they want to keep an address/account at their e-mail servers.
To my horror you *STILL* have not fixed the SSL / STARTTLS / etc. security issue, and you are reported as promising to do so here: http://www.theregister.co.uk/2007/05/24/plusnet_takes_blame years ago.
Do you not realise that there are simple tools which anyone can download to a laptop and capture Plusnet (and others - granted) e-mail account names and passwords at any WiFi hotspot and that is almost certainly contributed to the blacklisting of your mail servers from the posts about people's e-mail accounts being compromised. Bear in mind that the way your systems are set-up - those account names and passwords will almost certainly be the login details to your customer's Control Panels and account information at your server..
I was seriously embarrassed at having to explain the lack of security that you provide.
I didn't raise this as a new topic as part of the disgrace is how long this has been outstanding!...
Surprised you didn't point out this post (and it's date):
Quote from: Bob Hi guys,
You'll be pleased to hear that SSL on the mail collection platform should be pretty easy to implement since we put new load balancers in front of the mail platform. Speaking to our Net-Ops Team the consensus is that we just need need to enable SSL on the load balancers and offload that to the mail collection servers.
Our engineers have endeavoured to take a look at this over the coming months when (if?) they have free time between project work. No guarantees as I know they've got a data centre migration to contend with during that time, but if we do get the opportunity then we'll certainly try our best to make some headway on this.
It's worth noting that we probably wouldn't be able to enable this for Madasafish POP3 at the moment as we still need to migrate the POP3 collection platform over onto the Plusnet network.