Email Authentication and Encryption

| May 13, 2014
Click here for more on this news post

This topic causes annoyance on a regular basis for many, including ourselves. Here are some tips on keeping your email secure with a minimum of hassle.

Why should I use email authentication and encryption ?

When you send or receive email, the first step is to authenticate yourself with the mail server. This involves sending your username (email address) and password which is checked to make sure that you are who you say you are. Historically, it was common for the password to be sent as plain text. When any kind of data is sent across a network connection, there is a small possibility that it can be intercepted, and your password can be read from the data stream. Cybercafes and free wi-fi hotspots are notorious for lax security – you never know who might be eavesdropping on the traffic to and from your device, whether it’s a laptop, PC, tablet or smartphone.

A sensible precaution is to encrypt the conversation and there are a couple of ways of doing that.

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are our two best friends when we want to keep our stuff private and safe from the opportunist hacker.

How do I use TLS/SSL ?

ssl_warning

SSL warning

 

If you use Webmail (https://yourdomain.com/webmail), your browser will display a security warning. This is the annoying part ! If you are a large, rich company with hundreds of employees and users, you’ll probably be able to afford your own SSL certificate for your domain. Certificates are quite expensive and have to be renewed every 12 months. Because we are a small company (and many of our clients are small companies) we share a single SSL certificate with all our clients. The problem is, this certificate is only considered valid for ds.lunariaweb.com. Fear not ! You can still accept it (sometimes called ‘creating an exception’) and TLS/SSL will work.

If, instead of webmail, you use a mail program on your PC/laptop/tablet/smartphone, the options vary, but most mail programs (e.g. Outlook, Applemail, iMail, Thunderbird etc) will give you an option to connect using TLS/SSL. If you pick that option, your mail program will probably give you the same kind of warning that your web browser does when you use webmail. Just accept the warning or create an exception and off you go. Some Android phones have an option to “accept any certificate” so you should choose that if you can.

Why does it keep asking me to accept the certificate each time I connect ?

You probably haven’t stored the shared certificate or created an exception. Read the message and click carefully.

It works fine but every once in a while I get the certificate warning

We have to reset the certificate every 12 months, so you’ll get the warning at least that often. Also, because of the Heartbleed vulnerability, we’ll be resetting the certificate in the next few weeks or so, as a precaution. Sadly, lots of other companies have had to the same.

Do I have to connect with TLS/SSL ?

If using webmail, yes. We force you to do that,  sorry. If you use a mail program, TLS/SSL is optional, but you still have to send your password before you can connect and if you don’t use encryption, you run the risk of your password being sniffed out. If a hacker gets access to your mailbox, all sorts of bad things can happen, so better to be on the safe side.

Questions ?

Just email us : [email protected]