Forum Discussion

ravenstar68's avatar
ravenstar68
Very Insightful Person
11 years ago

Re: Ravenstar's Email FAQ's

This is a plea for everyone to upgrade their email settings to use the SSL ports when collecting and sending mail.

 

 

Old standards

When the mail protocols were created in the 1980's the internet was a much smaller and much less hostile place.

As such little thought was given in the original standards to security of logins and passwords.

 

This meant that when you sent an email username and password to log in to your mail server they are actually visible to anyone who can eavesdrop on the web traffic.

 

Consider the exchange here between a pop3.blueyonder.co.uk and myself. (Server resonses are in red)

 

telnet pop3.blueyonder.co.uk 110

+OK Virgin Media POP3 server ready [ e4c558782BY ].
user myaddress@blueyonder.co.uk
+OK send PASS
pass mypassword
+OK Welcome.
quit
+OK Farewell.

 

Obviously I'm not posting my real address and password on here. ;)

 

The point here is, that although I am using telnet here to connect to the server - your mail client does exactly the same thing.  And the username and password is sent as you see them on the screen.

 

Collecting your email from home - the risks might not seem that great, but when you start to use public wifi with phones/tablets and Laptops logging in to grab mail when they connect the risks go up.

 

While many email servers support MD5 passwords which would offer some protection.  Most email providers still use clear text authentication.

 

Addressing the Weakness

The email standards were updated to take account of this vulnerability as long ago as 1999 with TLS (Previously known as SSL) being added.  This required new ports 995 for POP3, 993 for IMAP and 465 for SMTP - the last while still in use has actually been deprecated in favour of port 587 using StartTLS.

 

The outcome of this change is that email providers can use clear text authentication safely as the connection is now encrypted so usernames and passwords are protected from prying eyes.

 

Virginmedia.com and SSL

On it's own named servers Virginmedia has been using SSL more or less ever since it took over the mantle.  By those I mean:-

pop3.virginmedia.com  - Port 995 SSL

imap.virginmedia.com  - Port 993 SSL

smtp.virginmedia.com   - Port 465 SSL

 

These are the ONLY settings that these servers can use. So with these there is no issue regarding security.

 

Users of the legacy servers however have a choice.  Virgin chose not to enforce the changes upon users of those servers, in order to prevent Tech support headaches,  and after witnessing the furore caused by the recent issue with smtp authentication - who can blame them.

 

Just because you can continue to use the old settings though, it doesn't mean you should do so.

 

People might argue that so long as it works there's no need to change.  However would you leave your front door open.  most people wouldn't

 

To a hacker people surfing the net using insecure settings is as bad as leaving the door open.

 

In most cases changing ports is fairly painless.  The server names themselves don't need to change.

 

With that in mind I would urge everyone using blueyonder, ntlworld, and virgin.net to check ALL their email clients and update them.  Virgin have posted the updated settings as long ago as 2011.  Make 2015 the year you close one door to would be hackers.

 

Ravenstar68