MSSL User Note #17b

Converting to encrypted, authenticated mail at MSSL

Paul Lamb v1.1a 2-Jul-2004
updated ajf v1.2 17-11-2011

IMAPS is a secure, encrypted and authenticated form of the IMAP protocol. It can be used to read mail from off site (i.e. through the firewall) and from our wireless network. Similarly, outgoing mail can be sent using the secure smtps and msa protocols.

The outgoing mail server password

THIS IS IMPORTANT - PLEASE READ ...

This service allows users to relay mail from off-site via our mail servers. Off-site relaying is a facility much loved by spammers who constantly target and compromise vulnerable relays. The risk of this is clearly much greater when outside the firewall.

Please be aware that the risk of compromise is high with a consequent risk of MSSL being blacklisted as a spam relay: this would effectively stop our ability to use outgoing mail.

Access to this service is therefore password protected. Computing will provide the username and password to MSSL personnel on request on the following conditions:-

Windows systems must be regularly patched (Run Windows update).

Anti-virus software must be installed and kept up to date (see http://www.mssl.ucl.ac.uk/fom-entry/78.html).

The username and password must not be divulged (not even to other MSSL personnel).

In the event of a security breach everyone's access to the service will be suspended and will remain suspended until we can implement an individual authentication method.

You need to request the outgoing password here.

If you are installing a new account or adding an account use this guide http://www.mssl.ucl.ac.uk/www_computing/buns/imap.html

Re-Configuring Thunderbird for encrypted mail

It is assumed that Thunderbird has already been correctly setup for unencrypted mail.

From Thunderbird men bar select Tools, then Account Settings

Select "USERNAME@mssl.ucl.ac.uk" (eg ajf@mssl.ucl.ac.uk) 


   Check that your full name, your email address and "Mullard Space Science 
   Laboratory, UCL" appear in the appropriate fields.

Select "Server Settings"
      The server name MUST be imaps.mssl.ucl.ac.uk
      Check your username.
      Enable "Use secure connection (SSL)" 
      Ensure that the port is 993     
      DISABLE "Use secure authentication" (Don't worry about this: the authentication is secured by the SSL encryption.)
     
Select "Outgoing Server (SMTP)"
      The server name MUST be mailhub.mssl.ucl.ac.uk

      Enable "Use name and password". This username and password will be 
      provided by Computing provided you accept the conditions of use 
      (see the second section above). 

      Under "Use secure connection" select "TLSSTART"

      Ensure that the port changes to 587.

Click "OK".
Test mail reading using "Get Msgs". You will be prompted for a password for imaps.mssl.ucl.ac.uk; give your Linux/imap/mail password.

A dialogue box will appear saying "unable to verify the identity of imaps.mssl.ucl.ac.uk as a trusted site". Click "View" to examine the certificate, then click "accept this certificate permanently" then "OK".

Test mail sending by selecting "Compose", complete the message then select "Send". You will be prompted for a password for mailhub.mssl.ucl.ac.uk; give the outgoing mail service password (see above). Accept the offered certificate.

You will be warned periodically about the above certificates being unverifiable. When you are convinced that encrypted mail is working, read and follow these instructions concerning the MSSL Certification Authority.